Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

iRule and multiple switch-statements

shakalakka
Altostratus
Altostratus

‎22-Aug-2022 01:02

So we need to filter based on both URIs and host-headers AND the source-IPs. I have tried using two switch-statements, with the same action for both if the client-IP-range matches - the first one works, but the second one doesnt seem to be evaluated. Any tips?

iRule:

when HTTP_REQUEST {
   set RESPONSE "<html><title>404 - NOT FOUND</title><body>404 - not found</body></html>"
   switch -glob [string tolower [HTTP::uri]] {
      "/someuri" -
      "/someuri/*"  {
         if { [matchclass [IP::client_addr] equals dg_blockthesehosts ] } {
            HTTP::respond 404 -version auto content $RESPONSE noserver "Content-Type" "text/html;charset=utf-8"
            TCP::close
            event disable
            return
         }
      }
   }
   switch -glob [string tolower [HTTP::host]] {
      "Host1.host.com" -
      "Host2.host.com" {
         if { [matchclass [IP::client_addr] equals dg_blockthesehosts ] } {
            HTTP::respond 404 -version auto content $RESPONSE noserver "Content-Type" "text/html;charset=utf-8"
            TCP::close
            event disable
            return
         }
      }
   }
}

 

Labels:
0 Kudos
7 REPLIES 7

Kevin_Stewart
F5 Employee
F5 Employee

‎22-Aug-2022 04:29

Don't know if you're obfuscating for this post, but you have [string tolower [HTTP::host]] as the condition, but trying to evaluate mixed case strings (ex. Host1.host.com).

0 Kudos

shakalakka
Altostratus
Altostratus

‎22-Aug-2022 04:31

Yes, sorry, this is example-names, and should read host1.host1.com. 

0 Kudos

shakalakka
Altostratus
Altostratus
In response to shakalakka

‎22-Aug-2022 04:31

But is something missing to open a second switch-statement? 

0 Kudos

Kevin_Stewart
F5 Employee
F5 Employee

‎22-Aug-2022 04:37 - edited ‎22-Aug-2022 04:37

The second switch will indeed not fire if there's a URI match, since that is doing an 'event disable'. So the logic presumes that the request does not match the URI in order to do a match on the host.

For giggles, try adding some logging and see what falls out:

 

when HTTP_REQUEST {
   log local0. "host: [string tolower [HTTP::host]]"

   set RESPONSE "<html><title>404 - NOT FOUND</title><body>404 - not found</body></html>"
   switch -glob [string tolower [HTTP::uri]] {
      "/someuri" -
      "/someuri/*"  {
         log local0. "match URI: [string tolower [HTTP::uri]]"
         if { [matchclass [IP::client_addr] equals dg_blockthesehosts ] } {
            HTTP::respond 404 -version auto content $RESPONSE noserver "Content-Type" "text/html;charset=utf-8"
            TCP::close
            event disable
            return
         }
      }
   }
   switch [string tolower [HTTP::host]] {
      "host1.host.com" -
      "host2.host.com" {
         log local0. "match host: [string tolower [HTTP::host]]"
         if { [matchclass [IP::client_addr] equals dg_blockthesehosts ] } {
            HTTP::respond 404 -version auto content $RESPONSE noserver "Content-Type" "text/html;charset=utf-8"
            TCP::close
            event disable
            return
         }
      }
   }
}

 

0 Kudos

shakalakka
Altostratus
Altostratus
In response to Kevin_Stewart

‎22-Aug-2022 04:39

I will try. That is correct, the URI and host-header matching will not happen on the same site, so the logic is something like this:

If you are a source-IP in dg_blockthesehosts:

Give a 404 if you try to access /someuri/*

OR:

if you try to access host1.host.com or host2.host.com.

They wont try to access host1.host.com/someuri.

 

0 Kudos

T-Trust
Cirrus
Cirrus

‎24-Aug-2022 22:22

Hi shakalakka,

I hope this iRules will help you, 

 

when HTTP_REQUEST {

set httphost [string tolower [HTTP::host]]

set httpuri [string tolower [HTTP::uri]]

if { ($httphost contains “x1”) && ($httpuri contains “y1”) } {

pool pool1

} elseif { ($httphost contains “x2”) && ($httpuri contains “y2”) } {

pool pool2

} else {

pool pool3

}

}

More information >> cloud-ttrust  <<

 

0 Kudos

CA_Valli
MVP
MVP

‎30-Aug-2022 02:42 - edited ‎30-Aug-2022 02:45

Hello shakalakka,

I've noticed that you didn't include default condition in your switch blocks, so I'm assuming second block might never be evaluated since code likely breaks at first evaluation. 

I'm pretty sure that if you try to swap the two blocks and put HOST check first, it will start working and it will break URI check.

Can you try this ?

 

when HTTP_REQUEST {
   set RESPONSE "<html><title>404 - NOT FOUND</title><body>404 - not found</body></html>"
   switch -glob [string tolower [HTTP::uri]] {
      "/someuri" -
      "/someuri/*"  {
         if { [matchclass [IP::client_addr] equals dg_blockthesehosts ] } {
            HTTP::respond 404 -version auto content $RESPONSE noserver "Content-Type" "text/html;charset=utf-8"
            TCP::close
            event disable
            return
         }
      } default {}
   }
   switch -glob [string tolower [HTTP::host]] {
      "Host1.host.com" -
      "Host2.host.com" {
         if { [matchclass [IP::client_addr] equals dg_blockthesehosts ] } {
            HTTP::respond 404 -version auto content $RESPONSE noserver "Content-Type" "text/html;charset=utf-8"
            TCP::close
            event disable
            return
         }
      }
   }
}

 

0 Kudos
Copyright © 2023 Khoros, LLC