For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dgytech's avatar
dgytech
Icon for Altostratus rankAltostratus
Dec 03, 2015

Nested switch in HTTP_REQUEST/ignore case

I'm trying to create an iRule that only allows specific domain/URI but also allows specific wildcard directories (i.e. "/Images*") and ignores case. Example below works great for limiting the host/URI and ignoring case but switch does not work. I hope I can explain this clearly...

so my end goal would basically be...

https://XYZ.com/advocateprofileservice.svc = pool

https://XYZ.com/AdvocateProfileService.svc = pool

https://XYZ.com/internal/advocateprofileservice.svc = 403

https://XYZ.com/internal/AdvocateProfileService.svc = 403

https://XYZ.com/Images/test.jpg = PASS (currently not working)

https://XYZ.com/internal/Images/test.jpg = 403 (currently not working)

all else = 403

=====EXAMPLE=====

when HTTP_REQUEST {

set uri [string tolower [HTTP::uri]]

switch [HTTP::host] {

"XYZ.com" {

switch -glob [HTTP::uri] {

  "/Images*" {

    pool XYZ_pool}

}

}

}

if { [HTTP::host] equals "XYZ.com" and $uri equals "/advocateprofileservice.svc" or

   [HTTP::host] equals "XYZ.com" and $uri equals "/advocateprofileservice.svc?singlewsdl" or

   [HTTP::host] equals "XYZ.com" and $uri equals "/advocateservice.svc"} {

  pool XYZ_pool

} elseif {[HTTP::host] equals "XYZ.com"} {

HTTP::respond 403

}

}

BIG-IP
security

1 Reply

  • StephanManthey's avatar
    StephanManthey
    Icon for Nacreous rankNacreous
    Dec 03, 2015

    Hi,

    the iRule below should solve it: 
    when HTTP_REQUEST {
    set uri [string tolower [HTTP::uri]]
    if {[string tolower [HTTP::host]] equals "xyz.com"} {
        switch -glob [string tolower [HTTP::path]] {
            "/images*" -
            "/advocateprofileservice.svc"  {
                pool xyz_pool
                return
            }
            default {
                HTTP::respond 403
                return
            }
        }
    } else {
        HTTP::respond 403
        return
    }
}

    Please see the wiki pages for switch regarding the syntax details.

    For testing you may want use cURL directly on your BIG-IP as follows: 
    curl -v -X HEAD -H "Host: xyz.com" "http:///images/test.jpg"
curl -v -X HEAD -H "Host: xyz.com" "http:///internal/test.jpg"
curl -v -X HEAD "Host: xyz.com" "http:///advocateprofileservice.svc"
curl -v -X HEAD "Host: xyz.com" "http:///internal/advocateprofileservice.svc"

    Be aware, that all changes to your iRule will affect new connections only. For testing with a browser you may want to close all open browser windows after applying a change to your iRule.

    Thanks, Stephan