cancel
Showing results for 
Search instead for 
Did you mean: 

i-rule to allow specific urls only

Ashu_Aggarwal
Cirrus
Cirrus

I have to configure a VS to allow only two urls & block everything else. for example https://mycompany.com/abc/* & https://mycompany.com/xyz/* should be allowed & everything else should be blocked. Can someone help me witha possible i-rule or a method to achieve the same? TIA

9 REPLIES 9

Simon_Blakely
F5 Employee
F5 Employee

Do this with a Local Traffic Policy

 

AskF5 | Manual Chapter: Local Traffic Policies Examples

 

A Local Traffic Policy will be easier to configure, maintain and will also be faster than an irule.

Simon_Blakely
F5 Employee
F5 Employee

Your policy should look something like this

 

0691T000008GtX4QAK.png

Thanks fot your response. I tried this but it blocked the whole site. Also which version of bigip are you running on? I have 13.1.7 & i don't see same screen after policy creation.

That policy is missing a leading "/" for the URI paths, because I switched from "contains" to "starts_with" - sorry. Also, make it a case-insensitive check (using the options button)

 

HTTP URI path starts with "/abc/", or "/xyz/" at request time

It's worth persisting with Local Traffic Policies until you get them working - they really are the best solution to start with.

Samir
Nacreous
Nacreous

@Janet, Your Irule is correct but small modification needed to fulfill actual request.

 

when HTTP_REQUEST { if { !(([string tolower [HTTP::uri]] starts_with "/abc") or ([string tolower [HTTP::uri]] starts_with "/pqr")) } { drop } }

 

This i-rule blocked whole site

 , Thank you so much for feedback. We write the iRule based on your question/assumption. As i believe, you are passing wildcard parameter in "/abe/*" . which may not return proper result. It's is a devcentral tips and modify according to business needs.

 

Try switch condition or F5 Policy..

 

Ashu_Aggarwal
Cirrus
Cirrus

Thanks, but my request is to allow the two uris & dropped everything else. & in dropped request user get http:403 request forbidden.

 , try putting logging to see if you are capturing the right URI's.

You can follow Samir's IRule and since you wanted 403, replace drop with respond 403.

when HTTP_REQUEST { if { !(([string tolower [HTTP::uri]] starts_with "/abc") or ([string tolower [HTTP::uri]] starts_with "/pqr")) } { HTTP::respond 403 content "<html><body>Access Denied</body></html>" } else { log local0. "client=[IP::client_addr] accessing - [HTTP::uri] which is allowed" } }

 

If you want to test before implementing, to make sure you are putting right actions, put logging first. Something like below,

 

when HTTP_REQUEST { if { !(([string tolower [HTTP::uri]] starts_with "/abc") or ([string tolower [HTTP::uri]] starts_with "/pqr")) } { log local0. "client=[IP::client_addr] accessing - [HTTP::uri] which is to be blocked with a 403" } else { log local0. "client=[IP::client_addr] accessing - [HTTP::uri] which is allowed" } }