Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

iRule and Data group URI wildcard matching not working

ant77
Cirrus
Cirrus

‎10-Apr-2020 08:13 - last edited on ‎04-Jun-2023 21:31 by Fog

Hi All,

Can anyone let me know what the issue is here. I am trying to match using a wildcard or anything beyond the top level URI and it's not working

It seems the data group string is only specific only, and anything beyond that it doesn't work.

So what i am trying to do is look at the top level URI (/APP1), and if there is anything beyond that, allow. It should allow at the top level /APP1

and does not care any URI beyond that...

Example not working going beyond the top level URI /APP1:

HTTPS://mysite.com/APP1/ABC/123/home.html

We all know that a site does not end at just the top level /APP1/, as it can go beyond that with the other folders/URI. I just want to

match the top level, and allow anything beyond that. The irule seems to look for only /APP1/ and if you have /APP1/ABC/..... it does not work.

Match or wild card in data group:

/APP1/*

/APP2/*

/APP3/*

Is there a better way to do this within the irule itself for the URIs?

Thanks!


when HTTP_REQUEST {
if [class match [IP::client_addr] equals DG1-BLOCKED-SUBNETS] {
if { not ([HTTP::uri] equals DG2-ALLOWED-URIs]) } {
reject
  }
 }
}



ltm data-group internal DG1-BLOCKED-SUBNETS {
records {
10.100.100.0/24 { }
10.200.200.0/24 { }
}
type ip
}


ltm data-group internal DG2-ALLOWED-URIs {
records {
/APP1/* { }
/APP2/*{ }
/APP3/*{ }
}
type string
}
Labels:
0 Kudos
7 REPLIES 7

ldesfosses
Cirrus
Cirrus

‎10-Apr-2020 08:31 - last edited on ‎04-Jun-2023 21:31 by Fog

I think you want to check if you URI "start with" something, so I would use :

starts_with

if { not ([HTTP::uri] starts_with DG2-ALLOWED-URIs]) } {

Let me know if it's OK for you.

ant77
Cirrus
Cirrus
In response to ldesfosses

‎10-Apr-2020 08:39

Added the "starts_with" and still same thing, no good. Is it better to call the URIs and wildcard within the irule or from a data group?

 

For example, i am trying to go to the URL below.

I have /APP1/* in the data group, so the irule should allow me to come in if i match the /APP1 and anything beyond that.

 

HTTPS://mysite.com/APP1/home.html

 

Thanks!

 

0 Kudos

ldesfosses
Cirrus
Cirrus
In response to ant77

‎10-Apr-2020 09:01

In the datagroup, you should have : /APP1/ , not /APP1/*.

 

Regarding the if it's better to call the URIs in the iRule or a datagroup, IMO, it depend on how many times the URIs will be added or removed and the number of entry.

 

For just 3 that will never change, I would do it in the iRule, because it'll easiest for some persons to maintain. If you have a lot of URIs and it'll change, I'll do it in a data group, it'll be easy to just add/remove stuff from the data group for an untrained technician.

ant77
Cirrus
Cirrus
In response to ant77

‎10-Apr-2020 09:17

Thanks!

 

Do you have an example of this irule if want to call it within the irule and not use the URI data group?

Would it look something like this?

 

 

class allowedURIs {

“/APP1/“

“/APP2/“

“/APP3/“

}

 

when HTTP_REQUEST {

if [class match [IP::client_addr] equals DG1-BLOCKED-SUBNETS] {

if { not ( [HTTP::uri] starts_with $::allowedURIs) ] } {

reject

  }

 }

}

 

 

0 Kudos

ldesfosses
Cirrus
Cirrus
In response to ant77

‎10-Apr-2020 09:25 - last edited on ‎04-Jun-2023 21:31 by Fog 

if { not ([HTTP::uri] starts_with "/APP1/" or "/APP2" ) } {
	#Do Something
}

I don't have a BigIP right now to test, but this is how I see it.

ant77
Cirrus
Cirrus
In response to ant77

‎10-Apr-2020 10:03

Thank you!

0 Kudos

ldesfosses
Cirrus
Cirrus
In response to ant77

‎10-Apr-2020 10:08

It's working ?

0 Kudos
Copyright © 2023 Khoros, LLC