Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

irule block uri for external users when url has special characters such as $

Aziz-90s
Altocumulus
Altocumulus

Hi all

I've tried an irule on VIP for the website example to block the uri for external users only example /_api/$metadata I need to block this path /_api/$metadata 

so what I tried is 

When HTTP_REQUEST {

    if { [HTTP::host] equals"example"} {

       if {[string tolower [HTTP::uri]] starts_with "/_api/$metadata" }{

   if {  not ([class match [IP::remote_addr]  equals private_net]) }{

# reject

    }

} 

}

Noting a couple of things 

1/ when I applied it the web went down even though the REJECT is written as a comment in the irule 

2/ there are two policies a WAF policy & redirect policy applied to VIP so I thought it might be the reason, I removed the policies  and tried irule same results web went down even when reject is a comment 

besides I really wants to use irule, i red that we can use policy but never tried. I'd love to know my mistakes in irule 

can anyone tell me what i missed and if could explain why

thanks

 

2 ACCEPTED SOLUTIONS

AlexBCT
MVP
MVP

Hi Aziz, 

Two things that I noticed in the iRule; 

1. there is no space between equals"example"} - although I suspect this is just an edit error for the question here, I thought I'd mention it, just in case... 😉 

2. "/_api/$metadata" - are you referring an iRule variable or is this part of the actual URI? If it is a variable, where is it exactly declared? If part of the URI, the iRule will probably think it's a variable and interpret as such. To avoid this behaviour, try putting a backslash in front of it to clearly tell the iRule to take is as its literal value. ( "/_api/\$metadata" ) 

If the above two things didn't help, did you see any messages in the ltm log? (/var/log/ltm) and what is the behaviour when connecting from inside a private net or outside? Lastly, any chance of any proxies in between that are always hiding behind an outside address? 

Regarding Local Traffic Policies; yes, they are brilliant and often a great replacement for basic iRules (...but iRules are still awesome!). I think your example might indeed be a good one for an LTP. Have a look here: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/local-traffic-policies-getting-... but also just give it a go in the F5 GUI and you'll be able to figure it out quickly. (go to Local Traffic - Policies - Create new policy)

Hope one of these tips helps. 

Alex 

View solution in original post

Hi Alex

Thanks for replying 

 The /_api/$metadata is part of uri,

also I forgot to mention that I did a little research about special characters in uri

and it turns out that we could somehow avoid or resolve this issue by using a syntax Set_encode something like that 

have u hear any thing like this.

I'll try ur suggestions & reply back

much appreciated 

View solution in original post

4 REPLIES 4

AlexBCT
MVP
MVP

Hi Aziz, 

Two things that I noticed in the iRule; 

1. there is no space between equals"example"} - although I suspect this is just an edit error for the question here, I thought I'd mention it, just in case... 😉 

2. "/_api/$metadata" - are you referring an iRule variable or is this part of the actual URI? If it is a variable, where is it exactly declared? If part of the URI, the iRule will probably think it's a variable and interpret as such. To avoid this behaviour, try putting a backslash in front of it to clearly tell the iRule to take is as its literal value. ( "/_api/\$metadata" ) 

If the above two things didn't help, did you see any messages in the ltm log? (/var/log/ltm) and what is the behaviour when connecting from inside a private net or outside? Lastly, any chance of any proxies in between that are always hiding behind an outside address? 

Regarding Local Traffic Policies; yes, they are brilliant and often a great replacement for basic iRules (...but iRules are still awesome!). I think your example might indeed be a good one for an LTP. Have a look here: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/local-traffic-policies-getting-... but also just give it a go in the F5 GUI and you'll be able to figure it out quickly. (go to Local Traffic - Policies - Create new policy)

Hope one of these tips helps. 

Alex 

Hi Alex

Thanks for replying 

 The /_api/$metadata is part of uri,

also I forgot to mention that I did a little research about special characters in uri

and it turns out that we could somehow avoid or resolve this issue by using a syntax Set_encode something like that 

have u hear any thing like this.

I'll try ur suggestions & reply back

much appreciated 

 if {[string tolower [HTTP::uri]] starts_with {/_api/$metadata} }{

Thanks Alex

it worked 🙂