Forum Discussion

Eric_Weiss_2486's avatar
Eric_Weiss_2486
Icon for Nimbostratus rankNimbostratus
Feb 22, 2016

Question on syntax of iRule

Hello,

 

I'm struggling with syntax on the following, and was wondering if anyone had suggestions. I've tried combining Mozilla and Opera using '||', but that seemed to produce the same error (below).

 

If an IE/Firefox/Chrome client browser attempts to connect to REST Test & no SSO cookie exists, reject.

when HTTP_REQUEST { if { ( [HTTP::header value "User-Agent"] contains "Mozilla" ) or ( [HTTP::header value "User-Agent"] contains "Opera" ) and ([string tolower [HTTP::uri]] matches_regex {restservicestest}) and { not [HTTP::cookie names] contains ".test" } then { reject log local0. "Client browser trying to connect to REST Host:[HTTP::host]; URI = [HTTP::uri] No SSO Cookie Detected, Client IP:[IP::client_addr] has been blocked" } }

 

}

 

ERROR Text s/iRule syntax checking:

Exception caught in LocalLB::urn:iControl:LocalLB/Rule::create() Exception: Common::OperationFailed primary_error_code : 17236305 (0x01070151) secondary_error_code : 0 error_string : 01070151:3: Rule [/Common/iRuler_Parse_Test_Rule] error: /Common/iRuler_Parse_Test_Rule:3: error: [parse error: PARSE syntax 366 {syntax error in expression " ( [HTTP::header value "User-Agent"] contains "Mozilla" ) or...": extra tokens at end of expression}][{ ( [HTTP::header value "User-Agent"] contains "Mozilla" ) or ( [HTTP::header value "User-Agent"] contains "Opera" ) and ([string tolower [HTTP::uri]] matches_regex {restservicestest}) and { not [HTTP::cookie names] contains ".test" } then { reject log local0. "Client browser trying to connect to REST Host:[HTTP::host]; URI = [HTTP::uri] No SSO Cookie Detected, Client IP:[IP::client_addr] has been blocked" } }] /Common/iRuler_Parse_Test_Rule:7: error: [missing a script after "if"][ ]

 

Thank you, Eric

 

BIG-IP
iRules
security

7 Replies

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Feb 22, 2016

    Hi Eric,

    you may try this snippet...

    when HTTP_REQUEST { 
    if { (( [HTTP::header value "User-Agent"] contains "Mozilla" ) or 
          ( [HTTP::header value "User-Agent"] contains "Opera" )) and 
          ( [string tolower [HTTP::uri]] matches_regex {restservicestest} ) and 
          not ( [HTTP::cookie names] contains ".test" ) } then { 
        reject 
        log local0. "Client browser trying to connect to REST Host:[HTTP::host]; URI = [HTTP::uri] No SSO Cookie Detected, Client IP:[IP::client_addr] has been blocked" 
    } 
 }

    Cheers, Kai

  • Aaron_Brailsfor's avatar
    Aaron_Brailsfor
    Historic F5 Account
    Feb 23, 2016

    I think the problem is you've enclosed the expression operators with brackets () rather than braces {}, this should work:

    when HTTP_REQUEST {
    if { 
            {
                [HTTP::header value "User-Agent"] contains "Mozilla"
                || [HTTP::header value "User-Agent"] contains "Opera"
            }
        && [string tolower [HTTP::uri]] matches_regex {restservicestest}
        && { not [HTTP::cookie names] contains ".test" }
    } then { 
        reject
        log local0. "Client browser trying to connect to REST Host:[HTTP::host]; URI = [HTTP::uri] No SSO Cookie Detected, Client IP:[IP::client_addr] has been blocked" 
    }
}
    • Eric_Weiss_2486's avatar
      Eric_Weiss_2486
      Icon for Nimbostratus rankNimbostratus
      Feb 23, 2016
      Hello Aaron, many thanks for your suggestion. This worked better, although the HTTP::cookie names doesn't seem to be matching on contains '.fb'. In the following example, I'm wondering if there's a way to check for '.fb' inside any cookie? when HTTP_REQUEST { if { [HTTP::header value "User-Agent"] contains "Mozilla" || [HTTP::header value "User-Agent"] contains "Opera" && { not [HTTP::cookie names] contains ".fb" } && [string tolower [HTTP::uri]] matches_regex {restservicesintstest} } then { reject log local0. "Client browser trying to connect to REST Host:[HTTP::host]; URI=[HTTP::uri]" log local0. "No SSO Cookie Detected, Client IP:[IP::client_addr] has been blocked" } } Feb 23 09:21:52 lb01 info tmm1[15541]: Rule /Common/SecAuthREST-IntS-Test : Client browser trying to connect to REST Host:fb1restservicesintstest.fb; URI=/communication/notifications/isAlive Feb 23 09:21:52 lb01 info tmm1[15541]: Rule /Common/SecAuthREST-IntS-Test : No SSO Cookie Detected, Client IP:10.0.22.218 has been blocked
    • Eric_Weiss_2486's avatar
      Eric_Weiss_2486
      Icon for Nimbostratus rankNimbostratus
      Feb 23, 2016
      I'm not seeing a way to check the contents of all cookies for '.fb'. I suspect that the reason { not [HTTP::cookie names] contains ".fb" } isn't working is that Windows desktop obscures the cookie names. If you view cookie files in Internet Explorer options, it shows all the cookie names ending in .fb. When I look locally on the filesystem, under Windows temp, I'm seeing all of those renamed cryptically, with .txt on the end. Due to that, I need to check the contents of cookies themselves for .fb
  • AaronJB's avatar
    AaronJB
    Ret. Employee
    Feb 23, 2016

    I think the problem is you've enclosed the expression operators with brackets () rather than braces {}, this should work:

    when HTTP_REQUEST {
    if { 
            {
                [HTTP::header value "User-Agent"] contains "Mozilla"
                || [HTTP::header value "User-Agent"] contains "Opera"
            }
        && [string tolower [HTTP::uri]] matches_regex {restservicestest}
        && { not [HTTP::cookie names] contains ".test" }
    } then { 
        reject
        log local0. "Client browser trying to connect to REST Host:[HTTP::host]; URI = [HTTP::uri] No SSO Cookie Detected, Client IP:[IP::client_addr] has been blocked" 
    }
}
    • Eric_Weiss_2486's avatar
      Eric_Weiss_2486
      Icon for Nimbostratus rankNimbostratus
      Feb 23, 2016
      Hello Aaron, many thanks for your suggestion. This worked better, although the HTTP::cookie names doesn't seem to be matching on contains '.fb'. In the following example, I'm wondering if there's a way to check for '.fb' inside any cookie? when HTTP_REQUEST { if { [HTTP::header value "User-Agent"] contains "Mozilla" || [HTTP::header value "User-Agent"] contains "Opera" && { not [HTTP::cookie names] contains ".fb" } && [string tolower [HTTP::uri]] matches_regex {restservicesintstest} } then { reject log local0. "Client browser trying to connect to REST Host:[HTTP::host]; URI=[HTTP::uri]" log local0. "No SSO Cookie Detected, Client IP:[IP::client_addr] has been blocked" } } Feb 23 09:21:52 lb01 info tmm1[15541]: Rule /Common/SecAuthREST-IntS-Test : Client browser trying to connect to REST Host:fb1restservicesintstest.fb; URI=/communication/notifications/isAlive Feb 23 09:21:52 lb01 info tmm1[15541]: Rule /Common/SecAuthREST-IntS-Test : No SSO Cookie Detected, Client IP:10.0.22.218 has been blocked
    • Eric_Weiss_2486's avatar
      Eric_Weiss_2486
      Icon for Nimbostratus rankNimbostratus
      Feb 23, 2016
      I'm not seeing a way to check the contents of all cookies for '.fb'. I suspect that the reason { not [HTTP::cookie names] contains ".fb" } isn't working is that Windows desktop obscures the cookie names. If you view cookie files in Internet Explorer options, it shows all the cookie names ending in .fb. When I look locally on the filesystem, under Windows temp, I'm seeing all of those renamed cryptically, with .txt on the end. Due to that, I need to check the contents of cookies themselves for .fb