Forum Discussion

NetWork's avatar
NetWork
Icon for Nimbostratus rankNimbostratus
Oct 21, 2020
Solved

IRule for Exact resource access rejection

I would like to know the feasibility of implementing iRules for below scenario, kindly suggest whether it is achievable or not.

 

https://my.domain.com/mrj/home/srt/portal/prtroot/com.dev.net.sendemail >> only request to this resource should get rejected

 

https://my.domain.com/mrj/home/srt/portal/prtroot/* >> other should get allowed

application delivery
iRules
LTM
security
  • Dario_Garrido's avatar
    Dario_Garrido
    Oct 22, 2020

    Hello NetWork.

    Actually the previous sentence has a mistake. It should be like this.

    set uri [getfield [HTTP::uri] "?" 1]

    This is used to remove de Query parameter of the URI. For example if you receive something like this:

    /mrj/home/srt/portal/prtroot/com.dev.net.sendemail?myuser=john

    Taking into account that you need to reject any URI related with

    /mrj/home/srt/portal/prtroot/com.dev.net.sendemail*

    Then you should use "starts_with" instead of "ends_with", and the sentence before would not be necessary.

    Your iRule should be like this:

    when HTTP_REQUEST {
	if { [HTTP::uri] == "/" } { HTTP::redirect "http://[HTTP::host]/mrj" }
	elseif { [string tolower [HTTP::uri]] starts_with "/mrj/home/srt/portal/prtroot/com.dev.net.sendemail" } { reject }
	elseif { [string tolower [HTTP::uri]] starts_with "/mrj" or [string tolower [HTTP::uri]] starts_with "/web" or [string tolower [HTTP::uri]] starts_with "/htmlb" } { pool pool-A }
	elseif { [string tolower [HTTP::uri]] starts_with "/abc" } { pool pool-B }
	elseif { [string tolower [HTTP::uri]] starts_with "/" } {reject}
}

    Please, if this was helpful don't forget to mark my answer as 'the best' to help me for the contribution.

    Regards,

    Dario.

4 Replies

Sort By
  • Dario_Garrido's avatar
    Dario_Garrido
    Icon for MVP rankMVP
    Oct 22, 2020

    Hello NetWork.

    Yes, it's feasible. Try this:

    when HTTP_REQUEST {
	set uri [getfield [HTTP::uri] "?" 2]
	if { $uri ends_with "/mrj/home/srt/portal/prtroot/com.dev.net.sendemail" } { reject }
}

    Regards,

    Dario.

    • NetWork's avatar
      NetWork
      Icon for Nimbostratus rankNimbostratus
      Oct 22, 2020

      Hi Dario,

       

      Thanks a lot for your response!

       

      Below is our existing and working iRule:

       

        when HTTP_REQUEST { 

       if { [HTTP::uri] == "/" } { HTTP::redirect "http://[HTTP::host]/mrj" }

       elseif { [string tolower [HTTP::uri]] starts_with "/mrj" or [string tolower [HTTP::uri]] starts_with "/web" or [string tolower [HTTP::uri]] starts_with "/htmlb" }

           { pool pool-A }

         elseif { [string tolower [HTTP::uri]] starts_with "/abc" }

           { pool pool-B }

         elseif { [string tolower [HTTP::uri]] starts_with "/" }

           {reject}

      }

       

      If we modify it as below, will it work?

       

       

      when HTTP_REQUEST {

       

      set uri [getfield [HTTP::uri] "?" 2]

       

      if { [HTTP::uri] == "/" } { HTTP::redirect "http://[HTTP::host]/mrj" }

       

      elseif { $uri ends_with "/mrj/home/srt/portal/prtroot/com.dev.net.sendemail" } 

          { reject }

       

      elseif { [string tolower [HTTP::uri]] starts_with "/mrj" or [string tolower [HTTP::uri]] starts_with "/web" or [string tolower [HTTP::uri]] starts_with "/htmlb" }

           { pool pool-A }

       

      elseif { [string tolower [HTTP::uri]] starts_with "/abc" }

           { pool pool-B }

       

         elseif { [string tolower [HTTP::uri]] starts_with "/" }

           {reject}

      }

       

       

      Also, can you please help to understand why we need to put "2" in set uri [getfield [HTTP::uri] "?" 2] ??

       

      And, in case if we want to reject anything after sendemail i.e /mrj/home/srt/portal/prtroot/com.dev.net.sendemail*, how that can be achieved.

       

       

      • Dario_Garrido's avatar
        Dario_Garrido
        Icon for MVP rankMVP
        Oct 22, 2020

        Hello NetWork.

        Actually the previous sentence has a mistake. It should be like this.

        set uri [getfield [HTTP::uri] "?" 1]

        This is used to remove de Query parameter of the URI. For example if you receive something like this:

        /mrj/home/srt/portal/prtroot/com.dev.net.sendemail?myuser=john

        Taking into account that you need to reject any URI related with

        /mrj/home/srt/portal/prtroot/com.dev.net.sendemail*

        Then you should use "starts_with" instead of "ends_with", and the sentence before would not be necessary.

        Your iRule should be like this:

        when HTTP_REQUEST {
	if { [HTTP::uri] == "/" } { HTTP::redirect "http://[HTTP::host]/mrj" }
	elseif { [string tolower [HTTP::uri]] starts_with "/mrj/home/srt/portal/prtroot/com.dev.net.sendemail" } { reject }
	elseif { [string tolower [HTTP::uri]] starts_with "/mrj" or [string tolower [HTTP::uri]] starts_with "/web" or [string tolower [HTTP::uri]] starts_with "/htmlb" } { pool pool-A }
	elseif { [string tolower [HTTP::uri]] starts_with "/abc" } { pool pool-B }
	elseif { [string tolower [HTTP::uri]] starts_with "/" } {reject}
}

        Please, if this was helpful don't forget to mark my answer as 'the best' to help me for the contribution.

        Regards,

        Dario.

  • NetWork's avatar
    NetWork
    Icon for Nimbostratus rankNimbostratus
    Dec 06, 2020

    Hi Dario,

     

    We have tested in our customer environment, it works as expected.

     

    Many thanks for your help!