Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

iRule - Block part of a query

Go to solution
PG0581
Cirrus
Cirrus

‎12-Dec-2022 12:35

Using this example URL: https://abc.com/some-uri.some-extension?func=do-something

How would I go about rejecting any queries containing "do-something"? 

This is what I have tried, and haven't had any luck:

iRule:

    when HTTP_REQUEST {
            if { [class match [string tolower [HTTP::query]] eq data-group-1] }{
            log local0. "Denied query: [IP::client_addr] - [HTTP::query]"
            reject
        }
    }

Data-group:

ltm data-group internal data-group-1 {
    records {
        do-something { }
    }
    type string
}
Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
CA_Valli
MVP
MVP
In response to PG0581

‎13-Dec-2022 00:22 - edited ‎13-Dec-2022 00:24

Hello @PG0581 , 
this code should work, and it's exactly how I would build the iRule too. 

Any reason why you're using "string tolower"? Remember that in this case, your datagroup should be all lowercase characters in order to match. 

In my lab, this code is working indeed

CA_Valli_0-1670919730064.png

 

I would check profiles on your VS .. you need HTTP profile to parse [HTTP::query] info, and if this HTTPS traffic you also need a clientSSL profile in order to see unencrypted data.

View solution in original post

9 REPLIES 9

Go to solution
PG0581
Cirrus
Cirrus

‎12-Dec-2022 12:57 - edited ‎12-Dec-2022 13:01

I also tried modifying the iRule to use "contains" rather than "eq", but no luck there either:

 

    when HTTP_REQUEST {
            if { [class match [string tolower [HTTP::query]] contains data-group-1] }{
            log local0. "Denied query: [IP::client_addr] - [HTTP::query]"
            reject
        }
    }

 

0 Kudos

Go to solution
CA_Valli
MVP
MVP
In response to PG0581

‎13-Dec-2022 00:22 - edited ‎13-Dec-2022 00:24

Hello @PG0581 , 
this code should work, and it's exactly how I would build the iRule too. 

Any reason why you're using "string tolower"? Remember that in this case, your datagroup should be all lowercase characters in order to match. 

In my lab, this code is working indeed

CA_Valli_0-1670919730064.png

 

I would check profiles on your VS .. you need HTTP profile to parse [HTTP::query] info, and if this HTTPS traffic you also need a clientSSL profile in order to see unencrypted data.

Go to solution
PG0581
Cirrus
Cirrus
In response to CA_Valli

‎15-Dec-2022 05:46

Hi @CA_Valli ,

Thanks for testing this. I have typically always used "string tolower", but what I did not realize or had not noticed is the string in the data-group needs to be lowercase as well. Makes total sense! The string in my data-group is not all in lowercase, so I will fix that.

0 Kudos

Go to solution
CA_Valli
MVP
MVP
In response to PG0581

‎15-Dec-2022 05:54

Happy to help!
I typically use that syntax if I need to normalize some data, but with URI's /login and /LOGIN would be two different pages and you might have unexpected matches.. 

Go to solution
PG0581
Cirrus
Cirrus
In response to CA_Valli

‎15-Dec-2022 05:59

Noted! Thanks again! 

Go to solution
Omar2
Cirrus
Cirrus

‎12-Dec-2022 17:18

Hello,

The below simple I-rule do this function and tested in a LAB:

when HTTP_REQUEST {
if {[HTTP::uri] contains "do-something"}{
reject
}
}

Go to solution
PG0581
Cirrus
Cirrus
In response to Omar2

‎15-Dec-2022 05:51

Thanks for testing this @Omar2 ! I will add this to my notes as another solution.

0 Kudos

Go to solution
Kai_Wilke
MVP
MVP

‎13-Dec-2022 01:15 - edited ‎13-Dec-2022 06:39

Hi PG0581,

you may check the modified iRule below...

 

when HTTP_REQUEST {
		if {  [class match -- [URI::query [HTTP::uri -normalized] "func"] equals data-group-1] } then {
		log local0. "Denied query: [IP::client_addr] - param func=[URI::query [HTTP::uri -normalized] "func"]"
		HTTP::respond 403 content "Access Denied" "Content-Type" "text/html"
	}
}

 

It applies HTTP::uri -nomalization to the request URI, then extracts the URI parameter "func" and then checks the value based on your Data-Group. If the func param is listed in the blacklist, it sends a HTTP 403 Access Denied to the client (slightly better than using a TCP reject). 

 Cheers, Kai


iRule can do… 😉

Go to solution
PG0581
Cirrus
Cirrus
In response to Kai_Wilke

‎15-Dec-2022 05:52

Thanks for your feedback @Kai_Wilke . Interesting way of writing the iRule, and thanks for the tip on sending the 403 back 🙂 I will add this to my notes!

0 Kudos
Copyright © 2023 Khoros, LLC