cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

iRule and Data group URI wildcard matching not working

ant77
Cirrus
Cirrus

Hi All,

 

Can anyone let me know what the issue is here. I am trying to match using a wildcard or anything beyond the top level URI and it's not working

It seems the data group string is only specific only, and anything beyond that it doesn't work.

 

So what i am trying to do is look at the top level URI (/APP1), and if there is anything beyond that, allow. It should allow at the top level /APP1

and does not care any URI beyond that...

 

Example not working going beyond the top level URI /APP1:

HTTPS://mysite.com/APP1/ABC/123/home.html

 

We all know that a site does not end at just the top level /APP1/, as it can go beyond that with the other folders/URI. I just want to

match the top level, and allow anything beyond that. The irule seems to look for only /APP1/ and if you have /APP1/ABC/..... it does not work.

 

Match or wild card in data group:

/APP1/*

/APP2/*

/APP3/*

 

Is there a better way to do this within the irule itself for the URIs?

 

 

Thanks!

 

 

when HTTP_REQUEST { if [class match [IP::client_addr] equals DG1-BLOCKED-SUBNETS] { if { not ([HTTP::uri] equals DG2-ALLOWED-URIs]) } { reject } } } ltm data-group internal DG1-BLOCKED-SUBNETS { records { 10.100.100.0/24 { } 10.200.200.0/24 { } } type ip } ltm data-group internal DG2-ALLOWED-URIs { records { /APP1/* { } /APP2/*{ } /APP3/*{ } } type string }
7 REPLIES 7

ldesfosses
Cirrus
Cirrus

I think you want to check if you URI "start with" something, so I would use :

 

starts_with

 

if { not ([HTTP::uri] starts_with DG2-ALLOWED-URIs]) } {

Let me know if it's OK for you.

 

Added the "starts_with" and still same thing, no good. Is it better to call the URIs and wildcard within the irule or from a data group?

 

For example, i am trying to go to the URL below.

I have /APP1/* in the data group, so the irule should allow me to come in if i match the /APP1 and anything beyond that.

 

HTTPS://mysite.com/APP1/home.html

 

Thanks!

 

In the datagroup, you should have : /APP1/ , not /APP1/*.

 

Regarding the if it's better to call the URIs in the iRule or a datagroup, IMO, it depend on how many times the URIs will be added or removed and the number of entry.

 

For just 3 that will never change, I would do it in the iRule, because it'll easiest for some persons to maintain. If you have a lot of URIs and it'll change, I'll do it in a data group, it'll be easy to just add/remove stuff from the data group for an untrained technician.

Thanks!

 

Do you have an example of this irule if want to call it within the irule and not use the URI data group?

Would it look something like this?

 

 

class allowedURIs {

“/APP1/“

“/APP2/“

“/APP3/“

}

 

when HTTP_REQUEST {

if [class match [IP::client_addr] equals DG1-BLOCKED-SUBNETS] {

if { not ( [HTTP::uri] starts_with $::allowedURIs) ] } {

reject

  }

 }

}

 

 

if { not ([HTTP::uri] starts_with "/APP1/" or "/APP2" ) } { #Do Something }

I don't have a BigIP right now to test, but this is how I see it.

 

Thank you!

It's working ?