Forum Discussion
JamesB12
Altocumulus
AltocumulusNeed iRule to block the traffic for specific URL
Hello
Can somebody help on this please?
I have LTM appliance & Virtual server 'https://www100.test.com' hosted.
The requirement I have is to block all the traffic destinated to one of the application 'https://www100.test.com/ce' - is this something achievable by iRule If so do you have any idea on the iRule?
Would appreciate somebody can help.
Have seen this - https://support.f5.com/csp/article/K74012450 but that is looking too complex to me.
Thanks
zahranaNimbostratus
Below is fine and tested
when HTTP_REQUEST {
if { [string tolower [HTTP::host]] eq "example.com" && [string tolower [HTTP::uri]] eq "/news" } {
HTTP::respond 403 content "<html><body><h1>Access Denied</h1></body></html>" "Content-Type" "text/html"
}
}- Kai_Wilke
MVP
Hi James,
The provided example in K74012450 allows you to block certain URIs for external IPs. Its probable not the right (to complex) solution if you want to block access to a given URI for all clients.
Depending on how the "block" action should be you may use one of the iRule snippets below:
Intercept the Request and send HTTP 403 "Access Denied" response to the User-Agent:
Intercept the Request and send HTTP 403 "Access Denied" response to the User-Agent: when HTTP_REQUEST { if { [string tolower "[HTTP::host][HTTP::path]"] starts_with "www100.test.com/ce" } then { HTTP::respond 403 content "<html><body><h1>Access Denied</h1></body><html>" "Content-Type" "text/html" } }Intercept the Request and redirect the User-Agent to a custom error page or landing URL:
when HTTP_REQUEST { if { [string tolower "[HTTP::host][HTTP::path]"] starts_with "www100.test.com/ce" } then { HTTP::respond 302 "Location" "/error_page.html" } }If the block list gets more complex (e.g. more entries) you may need a different technique to filter URLs. Also keep in mind that the block list in my examples are filtering request to "www100.test.com/ce*". If your web application is also accesible via lets say "https://212.212.212.212/ce" then the filtering wont work. You may need to skip checking of the HOST-Name to make the black-listing more robust...
Cheers, Kai
JamesB12Thanks for that , Should be OK with sending
HTTP::respond 403
If i need to filter specific Source IPs say from Whitelist1 Data group allow it, block rest of it for the same URL "www100.test.com/ce". How do i match the condition with the below iRule.
when HTTP_REQUEST {
if { [string tolower "[HTTP::host][HTTP::path]"] starts_with "www100.test.com/ce" } then {
HTTP::respond 403 content "<html><body><h1>Access Denied</h1></body><html>" "Content-Type" "text/html"
}Thanks
- ScottE
Sounds like the piece you are looking for is a class match for the whitelist.
when HTTP_REQUEST {
if { [string tolower "[HTTP::host][HTTP::path]"] starts_with "www100.test.com/ce" } then {if { [class match [IP::client_addr] equals Whitelist1] } {
log local0.info "TESTCE: Acceptable usage from [IP::remote_addr]"} else {
HTTP::respond 403 content "<html><body><h1>Access Denied</h1></body><html>" "Content-Type" "text/html"return
}}
You can also have a pool selection with the log statement if the traffic goes to a specific pool. You can also just negate the "if" condition if you only want to action if the IP is not in the whitelist.
Scott
mihaicyou could something like this:
when HTTP_REQUEST {
if { ([HTTP::host] eq "www100.test.com") and ([HTTP::path] eq "/ce") } {
drop
}
}you could also, instead of eq "/ce" do starts_with "/ce" in case you have other URI's that start with "/ce" and you want to block them
- JamesB12
Thanks for that. I will give it a try.
If i need to filter specific Source IPs say from Whitelist1 Data group allow it, block rest of it for the same URL "www100.test.com/ce". How do i match the condition with the below iRule.
