Path Based ACL Irule

Hi Jim

There are several ways to this. The first thing that comes to mind is to use classes.

Using v10 as an example

class  ip_path_class {
"1.1.1.1" := "/npcaccounts/ManageAccount.aspx",
"1.1.1.2" := "/npcaccounts/ManageVendor.aspx",
.
.
'
"" := "/path/blah.aspx",
}

when HTTP_REQUEST {
   set sitepath [class match -value -- [IP::client_addr] ip_path_class]
   if { $sitepath ne "" } {
      [HTTP::uri] /$sitepath[HTTP::uri] 
     }
}

You can find the following link that will show you the many different instaces of using the class object

http://devcentral.f5.com/wiki/iRules.class.ashx

I hope this helps

Bhattman

Thanks I really appreciate it and will let you know how it works out.

 

 

-Jim

Hi Jim,

If you want to do a blacklist then I suppose you could do the following using the SWITCH command.

class dg_blacklist {
"1.1.1.1",
"1.1.1.2", 
"1.1.1.3",
.
.
.
"<IP>",
}

when HTTP_REQUEST {
    switch -glob [string tolower [URI::basename [HTTP::uri]]] {
     "manageaccount.aspx" -
     "managevendor.aspx" {
           if { [class match [IP::client_addr] equals dg_blacklist] } {
                discard
           }
        }
    }
}

I hope this helps

Bhattman

Hi Jim,

alternatively if you want to create a white list then you could do the following:

class dg_whitelist{
"1.1.1.1",
"1.1.1.2", 
"1.1.1.3",
.
.
.
"",
}

when HTTP_REQUEST {
    switch -glob [string tolower [URI::basename [HTTP::uri]]] {
     "manageaccount.aspx" -
     "managevendor.aspx" {
           if { not [class match [IP::client_addr] equals dg_whitelist] } {
                discard
           }
        }
    }
}

I hope this helps

Bhattman

Thanks that is exactly what I was looking for !!

 

Hi Jim,

 

 

Be aware that IIS is very permissive when interpreting URIs. So it's fairly simple to bypass URI based iRules. For some examples of encoding attacks, check the last reply in this thread:

 

 

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=30900

 

 

At a minimum if you're going to try to do this in an iRule, you'd want to URI decode the URI. You'd probably want to add additional logic to handle the other scenarios in the above post.

 

 

To do more complete proper validation of URIs you need the functionality in a WAF like ASM or to do this in the app using a .NET decoding library.

 

 

Aaron

Thanks for the advice Hoolio I will check the link out!!

 

 

Regards,

 

Jim

After looking into the link you sent I also have ASM in front of the IIS servers so I will check to see if I can get away with adding extra ////'s

 

 

Thanks !!!!

Ideally, you'd want to select an HTTP class by client IP and then have two separate ASM policies for the two different class of clients. You can do this using class match to evaluate the client IP against a datagroup and the HTTP::class command to select a class:

 

 

http://devcentral.f5.com/wiki/iRules.class.ashx

 

http://devcentral.f5.com/wiki/iRules.http__class.ashx

 

 

Aaron

To clarify, in one ASM policy you could disallow access to the specific URIs with attack signatures. In the iRule, you'd check the client IP against the datagroup. If the client isn't in the datagroup, you'd select the HTTP class which points to the ASM policy which disallows these URIs.

 

 

Aaron