Forum Discussion
Jim_Sellers_106
Nimbostratus
NimbostratusPath Based ACL Irule
Here is the scenario
I have 9 IP addresses that I want to allow to the following path but allow access to any other URL/URI on the server.
Lets just say 1.1.1.1 through 1.1.1.9
/npcaccounts/ManageAccount.aspx
/npcaccounts/ManageVendor.aspx
I have a few idea's in mind... creating a class for the sources and then creating a class for the paths. Any suggestions or help would be much appreciated.
- The_BhattmanHi Jim
There are several ways to this. The first thing that comes to mind is to use classes.
Using v10 as an exampleclass ip_path_class { "1.1.1.1" := "/npcaccounts/ManageAccount.aspx", "1.1.1.2" := "/npcaccounts/ManageVendor.aspx", . . ' "" := "/path/blah.aspx", }when HTTP_REQUEST { set sitepath [class match -value -- [IP::client_addr] ip_path_class] if { $sitepath ne "" } { [HTTP::uri] /$sitepath[HTTP::uri] } }
You can find the following link that will show you the many different instaces of using the class object
http://devcentral.f5.com/wiki/iRules.class.ashx
I hope this helps
Bhattman 
Jim_Sellers_106Thanks I really appreciate it and will let you know how it works out.
-Jim- The_BhattmanHi Jim,
If you want to do a blacklist then I suppose you could do the following using the SWITCH command.class dg_blacklist { "1.1.1.1", "1.1.1.2", "1.1.1.3", . . . "<IP>", }when HTTP_REQUEST { switch -glob [string tolower [URI::basename [HTTP::uri]]] { "manageaccount.aspx" - "managevendor.aspx" { if { [class match [IP::client_addr] equals dg_blacklist] } { discard } } } }
I hope this helps
Bhattman - The_BhattmanHi Jim,
alternatively if you want to create a white list then you could do the following:class dg_whitelist{ "1.1.1.1", "1.1.1.2", "1.1.1.3", . . . "", }when HTTP_REQUEST { switch -glob [string tolower [URI::basename [HTTP::uri]]] { "manageaccount.aspx" - "managevendor.aspx" { if { not [class match [IP::client_addr] equals dg_whitelist] } { discard } } } }
I hope this helps
Bhattman - Jim_Sellers_106Thanks that is exactly what I was looking for !!
hoolioCirrostratus
Hi Jim,
Be aware that IIS is very permissive when interpreting URIs. So it's fairly simple to bypass URI based iRules. For some examples of encoding attacks, check the last reply in this thread:
http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=30900
At a minimum if you're going to try to do this in an iRule, you'd want to URI decode the URI. You'd probably want to add additional logic to handle the other scenarios in the above post.
To do more complete proper validation of URIs you need the functionality in a WAF like ASM or to do this in the app using a .NET decoding library.
Aaron- Jim_Sellers_106Thanks for the advice Hoolio I will check the link out!!
Regards,
Jim - Jim_Sellers_106After looking into the link you sent I also have ASM in front of the IIS servers so I will check to see if I can get away with adding extra ////'s
Thanks !!!! - hoolioIdeally, you'd want to select an HTTP class by client IP and then have two separate ASM policies for the two different class of clients. You can do this using class match to evaluate the client IP against a datagroup and the HTTP::class command to select a class:
http://devcentral.f5.com/wiki/iRules.class.ashx
http://devcentral.f5.com/wiki/iRules.http__class.ashx
Aaron - hoolioTo clarify, in one ASM policy you could disallow access to the specific URIs with attack signatures. In the iRule, you'd check the client IP against the datagroup. If the client isn't in the datagroup, you'd select the HTTP class which points to the ASM policy which disallows these URIs.
Aaron
