For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jay_Christopher's avatar
Jay_Christopher
Icon for Nimbostratus rankNimbostratus
Jan 26, 2006

Using an iRule to create an access control list.

 

Is it possible to put a list of regular expressions into a data group and use an iRule to evaluate them against a URI.

 

 

I am thinking it would look something like this:

 

 

when HTTP_REQUEST {

 

if { [matchclass [HTTP::uri] equals $::uri_allow] } {

 

log local0. " URL ALLOWED [HTTP::uri]"

 

} else {

 

log local0. "!!!! URL DENIED !!!! [HTTP::uri]"

 

}

 

}

 

 

The list may contain things like:

 

 

^/favicon.ico$

 

^/images/.*\.(gif|jpg|jpeg|bmp)$

 

^/docs/.*\.(htm|html)$

 

 

 

application delivery
dev
devops
iRules

2 Replies

  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Feb 01, 2006
    While this might be possible, I would think there would be quite a large performance penalty. Whenever you're talking about running a single regex, you're dealing with a fair amount of overhead, let alone multiple regexes on every incoming HTTP request.

     

     

    In any event, I believe it would be possible, but you'd have to create a loop in the rule to step through each member of the data group and test that against the URI individually, then move on to the next one. The matchclass command wouldn't get you there.

     

     

    -Colin
  • Joe_Pruitt's avatar
    Joe_Pruitt
    Feb 01, 2006
    Actually, I got the word from one of the core developers that you cannot contain regular expressions in the datagroup in combination with matches_regex.

     

     

    But, since a data group can behave like TCL lists, you could use a foreach loop across the data group and then do a matches_regex on each member.

     

     

    -Joe