cancel
Showing results for 
Search instead for 
Did you mean: 

Allowing access only to specified directories (HTTP::PATH) on hosts using IRULES

Haroonh
Nimbostratus
Nimbostratus

Hi Community,

 

I am a beginner in F5 and would like your help in achieving the following

 

would like to restrict the traffic to only to the following path(s)

 

http://hostname.mylab.com/dir1

http://hostname.mylab.com/dir2

http://hostname.mylab.com/dir3

http://hostname.mylab.com/dir4

 

Could you please tell me if the following IRule will work if not please help me in configuring this.

 

when HTTP_REQUEST {

if { (([HTTP::host] eq "hostname.mylab.com") and ([HTTP::path] eq "/dir1"))

or (([HTTP::host] eq "hostname.mylab.com") and ([HTTP::path] eq "/dir2"))

or (([HTTP::host] eq "hostname.mylab.com") and ([HTTP::path] eq "/dir3"))

or (([HTTP::host] eq "hostname.mylab.com") and ([HTTP::path] eq "/dir4")) } {

 

} else {

drop

}

}

 

I really appreciate your help and support in this

Kind Regards,

 

 

 

3 REPLIES 3

PeteWhite
F5 Employee
F5 Employee
when HTTP_REQUEST { if { [HTTP::host] == "hostname.mylab.com" } { switch -- [HTTP::path] { "/dir1" - "/dir2" - "/dir3" - "/dir4" - default { drop } } } else { drop } }

 

Thanks Pete for the reply and your time, really appreciate it.

 

I have tried your solution but it doesn't seem to work,

 

I implemented the following which went fine.

 

when HTTP_REQUEST {

if { (([HTTP::host] eq "hostname.mylab.com") and ([HTTP::uri] contains "/dir1"))

or (([HTTP::host] eq "hostname.mylab.com") and ([HTTP::uri] contains "/dir2"))

or (([HTTP::host] eq "hostname.mylab.com") and ([HTTP::uri] contains "/dir3"))

or (([HTTP::host] eq "hostname.mylab.com") and ([HTTP::uri] contains "/dir4")) } {

 

} else {

drop

}

}

 

Kind Regards,

PeteWhite
F5 Employee
F5 Employee

Cool. I can see what i did wrong:

when HTTP_REQUEST { if { [HTTP::host] == "hostname.mylab.com" } { switch -- [HTTP::path] { "/dir1" - "/dir2" - "/dir3" - "/dir4" { return } default { drop } } } else { drop } }

otherwise, you can implement yours a bit differently:

 

when HTTP_REQUEST { set urls { "/dir1*" "/dir2*" "/dir3*" } if { (! [HTTP::host] eq "hostname.mylab.com") or ( ! [lsearch -glob -- $urls [HTTP::path]) } { drop } }

or if the number of URLs is likely to be a large number ( 20+ ) then you can put them into a datagroup and match against that.

You can also implement this in an LTM policy which would be more performant.

When testing this sort of thing it is a good idea with a range of tests for different urls and formats to check it works as expected, it is easy to find a corner case.