For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jim_Sellers_106's avatar
Jim_Sellers_106
Icon for Nimbostratus rankNimbostratus
Oct 03, 2011

Path Based ACL Irule

  Here is the scenario         I have 9 IP addresses that I want to allow to the following path but allow access to any other URL/URI on the server.       Lets just say ...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Oct 04, 2011
Hi Jim,

 

 

Be aware that IIS is very permissive when interpreting URIs. So it's fairly simple to bypass URI based iRules. For some examples of encoding attacks, check the last reply in this thread:

 

 

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=30900

 

 

At a minimum if you're going to try to do this in an iRule, you'd want to URI decode the URI. You'd probably want to add additional logic to handle the other scenarios in the above post.

 

 

To do more complete proper validation of URIs you need the functionality in a WAF like ASM or to do this in the app using a .NET decoding library.

 

 

Aaron