iRule - Block part of a query

Question

Using this example URL: https://abc.com/some-uri.some-extension?func=do-somethingHow would I go about rejecting any queries containing "do-something"?&nbsp;This is what I have tried, and haven't had any luck:iRule:    when HTTP_REQUEST {
            if { [class match [string tolower [HTTP::query]] eq data-group-1] }{
            log local0. "Denied query: [IP::client_addr] - [HTTP::query]"
            reject
        }
    }Data-group:ltm data-group internal data-group-1 {
    records {
        do-something { }
    }
    type string
}

ca_valli · Accepted Answer

Hello&nbsp;PG0581&nbsp;,&nbsp;this code should work, and it's exactly how I would build the iRule too.&nbsp;Any reason why you're using "string tolower"? Remember that in this case, your datagroup should be all lowercase characters in order to match.&nbsp;In my lab, this code is working indeed&nbsp;I would check profiles on your VS .. you need HTTP profile to parse [HTTP::query] info, and if this HTTPS traffic you also need a clientSSL profile in order to see unencrypted data.

omar2 · Answer

Hello,The below simple I-rule do this function and tested in a LAB:when HTTP_REQUEST {if {[HTTP::uri] contains "do-something"}{reject}}

kai_wilke · Answer

Hi PG0581,
you may check the modified iRule below...
&nbsp;
when HTTP_REQUEST {
		if {  [class match -- [URI::query [HTTP::uri -normalized] "func"] equals data-group-1] } then {
		log local0. "Denied query: [IP::client_addr] - param func=[URI::query [HTTP::uri -normalized] "func"]"
		HTTP::respond 403 content "Access Denied" "Content-Type" "text/html"
	}
}
&nbsp;
It applies HTTP::uri -nomalization to the request URI, then extracts the URI parameter "func" and then checks the value based on your Data-Group. If the func param is listed in the blacklist, it sends a HTTP 403 Access Denied to the client (slightly better than using a TCP reject).&nbsp;
&nbsp;Cheers, Kai

ca_valli · Answer

Happy to help!I typically use that syntax if I need to normalize some data, but with URI's /login and /LOGIN would be two different pages and you might have unexpected matches..&nbsp;

pg0581 · Answer

Noted! Thanks again!&nbsp;

pg0581 · Answer

I also tried modifying the iRule to use "contains" rather than "eq", but no luck there either:&nbsp;    when HTTP_REQUEST {
            if { [class match [string tolower [HTTP::query]] contains data-group-1] }{
            log local0. "Denied query: [IP::client_addr] - [HTTP::query]"
            reject
        }
    }&nbsp;

Forum Discussion

iRule - Block part of a query

9 Replies

Recent Discussions

Stable Firmware for F5

F5 VE in Azure - troubles with Sentinel integration

Need help on i-rule to specific uri path

BigIP Next - Health Monitors / Template

LDAPS and renegotiation

Related Content

iRule Processing query

MS Exchange ProxyNotShell block implemented via iRules

Rate limiting GraphQL API query using iRule and Advanced WAF Violation

Pool downtime query

Block traffic