Forum Discussion
Lark_53475
Nimbostratus
Nimbostratusuri rewrite question
I'm a newbie so forgive if I'm asking a silly question. I haven't been able to get this to work with the examples and responses I've seen on the forum.
I have a distributed third party application doing a post to a URL. The post contains a '>' at the end of the URI string. I'm trying to intercept it and drop the greater than symbol prior to getting passed along to our Apache server. The application doesn't seem smart enough to handle a redirect. Without any rule, Apache sees the > and sends back this message:
Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
Obviously, easiest answer would be to fix the third party app to remove the > and we are doing that, but can't get all of them before this system goes into production. I already have an iRule assigned to my Virtual server that divides traffic to different pools depending on string matches. I would like to create a different iRule that gets invoked prior.
My rule so far is this:
when HTTP_REQUEST {
if { [HTTP::uri] ends_with "&postDataBin=y\>" } {
HTTP::uri "&postDataBin=y"
}
}
Either its completely ignoring the iRule or I coded something incorrectly because it still returns that Apache warning/error message. When I manually type in the URL into a browser minus the '>' symbol at the end, the returns are as expected. Could it be ignoring this iRule even though it's first in the tab for Resources - iRules?
Is there a way to just take any URI that contains '>' and trims just that string off before going through the second irule which will direct traffic to the proper pools?
Thanks for any suggestions that you guys may have.
Lark
8 Replies
- Off the bat, it looks like you're changing the complete HTTP::uri to "&postDataBin=y" rather than just shaving off the final "\>" (I'm assuming that there's more in the URL than just the postDataBin name/value pair).
Something like this would be pretty easy with apache's mod_rewrite. I have to believe it's a cinch with an iruel. I'll poke around some, but I'll bet someone comes up with an answer well before I do. - I think this is what you're going to want to do:
http://devcentral.f5.com/wiki/default.aspx/iRules/STREAM__enable.html
It's possible to put a regular expression into an iRule, but doing substitutions via the stream profile is a much better way. 
Lark_53475Thanks for the response jquinby. I'm going to plead a bit of ignorance here. I followed the link as as a newbie to iRules, I'm a bit confused. I do want to trim just the > but I'm more than happy to do a whole URI replacement because it is the only URI being submitted that I know of that contains the >.- Grabbing the example on that page and adjusting it accordingly, I come up with:
when HTTP_RESPONSE { STREAM::disable if { [HTTP::header value Content-Type] contains "text" }{ STREAM::expression {@&postDataBin=y\>@&postDataBin=y\@} STREAM::enable } } This section only logs matches, and should be removed before using the rule in production. when STREAM_MATCHED { log local0. "Matched: [STREAM::match]" }
I'm having a bit of trouble testing this, but it looks like it *ought* to work. - Lark_53475Thanks for your response. I'll give it a shot and let you know what I find.
- stream acts only on the body, not the request URI, even for a POST.
If you want to re-write the request URI inbound to the servers, you need to use the HTTP::uri command, as you started to, with just a small modification to make only that change:when HTTP_REQUEST { if { [HTTP::uri] ends_with ">" } { HTTP::uri [substr [HTTP::uri] 0 ">"] } }
You don't need to escape the ">" in either case, but it seems to work either way for both commands.
/deb - Lark_53475Deb,
That did the trick! I felt like I was circling the answer, but couldn't quite land on it. Thanks a bunch. Now if I can just get it to fire my second iRule assigned to the Virtual Server I'll be set! - Awesome, thanks!
