02-Aug-2021
08:42
- last edited on
04-Jun-2023
19:21
by
JimmyPackets
I currently have an iRule that will forward traffic to a destination pool based on what was in the host value:
when HTTP_REQUEST {
if { [string tolower [HTTP::host]] contains "example1.mydomain.com" } {
pool /Common/App_Example_1.app/Pool_Example_1_pool
} elseif { [string tolower [HTTP::host]] contains "example2.mydomain.com" } {
pool /Common/App_Example_2.app/Pool_Example_2_pool
} else {
pool /Common/App_Example_3.app/Pool_Example_3_pool
}
}
For that second host (example2.mydomain.com) I want to make it so that only 3 URI's are actually available, let's say:
/v1/this/should/work*
/v1/this/will/also/work*
v2/this/one/too*
Everything else should be logged and blocked while presented a page about not being allowed
Here's what I tried:
when HTTP_REQUEST {
if { [string tolower [HTTP::host]] contains "example1.mydomain.com" } {
pool /Common/App_Example_1.app/Pool_Example_1_pool
} elseif { [string tolower [HTTP::host]] contains "example2.mydomain.com" } {
if { (([string tolower [HTTP::uri]] starts_with "/v1/this/should/work") or ([string tolower [HTTP::uri]] starts_with "/v1/this/will/also/work") or ([string tolower [HTTP::uri]] starts_with "v2/this/one/too")) } {
pool /Common/App_Example_2.app/Pool_Example_2_pool
} else {
log local0. "Blocked - [HTTP::host] - [HTTP::uri] from [IP::client_addr]"
HTTP::respond 200 content {
<html>
<head>
<title>Access Denied</title>
</head>
<body>
You are not authorized to access the requested resource
</body>
</html>
}
}
} else {
pool /Common/App_Example_3.app/Pool_Example_3_pool
}
}
In this update it now just seems to block every request, regardless of the URI.
Is there a better way to do this outside of an iRule? What would make this iRule work? I also tried nesting "if" statements but that also didn't work.
Thanks!
Solved! Go to Solution.
03-Aug-2021
03:59
- last edited on
04-Jun-2023
19:21
by
JimmyPackets
This can be optimized using switch statement. Create string datagroup (example2_allowed_uri) for allowed uri. You can use default_pool to send traffic at the end or reject it if there is no match for the HOST.
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::host]] {
"example1.mydomain.com"
{
pool /Common/App_Example_1.app/Pool_Example_1_pool
}
"example2.mydomain.com"
{
if { [class match [string tolower [HTTP::uri]] starts_with example2_allowed_uri ] } {
pool /Common/App_Example_2.app/Pool_Example_2_pool
} else {
HTTP::respond 200 content "access denied" noserver Content-Type text/html Connection Close
}
}
"example3.mydomain.com"
{
pool /Common/App_Example_3.app/Pool_Example_3_pool
}
default {
pool default_pool
}
}
}
03-Aug-2021
03:59
- last edited on
04-Jun-2023
19:21
by
JimmyPackets
This can be optimized using switch statement. Create string datagroup (example2_allowed_uri) for allowed uri. You can use default_pool to send traffic at the end or reject it if there is no match for the HOST.
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::host]] {
"example1.mydomain.com"
{
pool /Common/App_Example_1.app/Pool_Example_1_pool
}
"example2.mydomain.com"
{
if { [class match [string tolower [HTTP::uri]] starts_with example2_allowed_uri ] } {
pool /Common/App_Example_2.app/Pool_Example_2_pool
} else {
HTTP::respond 200 content "access denied" noserver Content-Type text/html Connection Close
}
}
"example3.mydomain.com"
{
pool /Common/App_Example_3.app/Pool_Example_3_pool
}
default {
pool default_pool
}
}
}
03-Aug-2021
05:19
- last edited on
24-Mar-2022
01:30
by
li-migration
Thank you ! This worked perfectly, I never thought to use DataGroups
Thank you again, much appreciated!