cancel
Showing results for 
Search instead for 
Did you mean: 

Best way to limit what URI/Path is available

dschwartz0815
Altostratus
Altostratus

I currently have an iRule that will forward traffic to a destination pool based on what was in the host value:

when HTTP_REQUEST {   if { [string tolower [HTTP::host]] contains "example1.mydomain.com" } {  pool /Common/App_Example_1.app/Pool_Example_1_pool  } elseif { [string tolower [HTTP::host]] contains "example2.mydomain.com" } {  pool /Common/App_Example_2.app/Pool_Example_2_pool  } else {   pool /Common/App_Example_3.app/Pool_Example_3_pool  } }

For that second host (example2.mydomain.com) I want to make it so that only 3 URI's are actually available, let's say:

/v1/this/should/work*

/v1/this/will/also/work*

v2/this/one/too*

 

Everything else should be logged and blocked while presented a page about not being allowed

 

Here's what I tried:

when HTTP_REQUEST {   if { [string tolower [HTTP::host]] contains "example1.mydomain.com" } {  pool /Common/App_Example_1.app/Pool_Example_1_pool  } elseif { [string tolower [HTTP::host]] contains "example2.mydomain.com" } {  if { (([string tolower [HTTP::uri]] starts_with "/v1/this/should/work") or ([string tolower [HTTP::uri]] starts_with "/v1/this/will/also/work") or ([string tolower [HTTP::uri]] starts_with "v2/this/one/too")) } {             pool /Common/App_Example_2.app/Pool_Example_2_pool } else { log local0. "Blocked - [HTTP::host] - [HTTP::uri] from [IP::client_addr]" HTTP::respond 200 content { <html> <head> <title>Access Denied</title> </head> <body> You are not authorized to access the requested resource </body> </html> } }  } else {   pool /Common/App_Example_3.app/Pool_Example_3_pool  } }

 

In this update it now just seems to block every request, regardless of the URI.

 

Is there a better way to do this outside of an iRule? What would make this iRule work? I also tried nesting "if" statements but that also didn't work.

 

Thanks!

1 ACCEPTED SOLUTION

SanjayP
MVP
MVP

This can be optimized using switch statement. Create string datagroup (example2_allowed_uri) for allowed uri. You can use default_pool to send traffic at the end or reject it if there is no match for the HOST.

 

when HTTP_REQUEST { switch -glob [string tolower [HTTP::host]] { "example1.mydomain.com" { pool /Common/App_Example_1.app/Pool_Example_1_pool } "example2.mydomain.com" { if { [class match [string tolower [HTTP::uri]] starts_with example2_allowed_uri ] } { pool /Common/App_Example_2.app/Pool_Example_2_pool } else { HTTP::respond 200 content "access denied" noserver Content-Type text/html Connection Close } } "example3.mydomain.com" { pool /Common/App_Example_3.app/Pool_Example_3_pool } default { pool default_pool } } }

 

View solution in original post

2 REPLIES 2

SanjayP
MVP
MVP

This can be optimized using switch statement. Create string datagroup (example2_allowed_uri) for allowed uri. You can use default_pool to send traffic at the end or reject it if there is no match for the HOST.

 

when HTTP_REQUEST { switch -glob [string tolower [HTTP::host]] { "example1.mydomain.com" { pool /Common/App_Example_1.app/Pool_Example_1_pool } "example2.mydomain.com" { if { [class match [string tolower [HTTP::uri]] starts_with example2_allowed_uri ] } { pool /Common/App_Example_2.app/Pool_Example_2_pool } else { HTTP::respond 200 content "access denied" noserver Content-Type text/html Connection Close } } "example3.mydomain.com" { pool /Common/App_Example_3.app/Pool_Example_3_pool } default { pool default_pool } } }

 

Thank you ! This worked perfectly, I never thought to use DataGroups

 

Thank you again, much appreciated!