cancel
Showing results for 
Search instead for 
Did you mean: 

IRule for Exact resource access rejection

NetWork
Nimbostratus
Nimbostratus

I would like to know the feasibility of implementing iRules for below scenario, kindly suggest whether it is achievable or not.

 

https://my.domain.com/mrj/home/srt/portal/prtroot/com.dev.net.sendemail >> only request to this resource should get rejected

 

https://my.domain.com/mrj/home/srt/portal/prtroot/* >> other should get allowed

1 ACCEPTED SOLUTION

Hello NetWork.

 

Actually the previous sentence has a mistake. It should be like this.

set uri [getfield [HTTP::uri] "?" 1]

This is used to remove de Query parameter of the URI. For example if you receive something like this:

/mrj/home/srt/portal/prtroot/com.dev.net.sendemail?myuser=john

 

Taking into account that you need to reject any URI related with

/mrj/home/srt/portal/prtroot/com.dev.net.sendemail*

 

Then you should use "starts_with" instead of "ends_with", and the sentence before would not be necessary.

 

Your iRule should be like this:

when HTTP_REQUEST { if { [HTTP::uri] == "/" } { HTTP::redirect "http://[HTTP::host]/mrj" } elseif { [string tolower [HTTP::uri]] starts_with "/mrj/home/srt/portal/prtroot/com.dev.net.sendemail" } { reject } elseif { [string tolower [HTTP::uri]] starts_with "/mrj" or [string tolower [HTTP::uri]] starts_with "/web" or [string tolower [HTTP::uri]] starts_with "/htmlb" } { pool pool-A } elseif { [string tolower [HTTP::uri]] starts_with "/abc" } { pool pool-B } elseif { [string tolower [HTTP::uri]] starts_with "/" } {reject} }

Please, if this was helpful don't forget to mark my answer as 'the best' to help me for the contribution.

 

Regards,

Dario.

Regards,
Dario.

View solution in original post

4 REPLIES 4

Hello NetWork.

 

Yes, it's feasible. Try this:

when HTTP_REQUEST { set uri [getfield [HTTP::uri] "?" 2] if { $uri ends_with "/mrj/home/srt/portal/prtroot/com.dev.net.sendemail" } { reject } }

Regards,

Dario.

Regards,
Dario.

Hi Dario,

 

Thanks a lot for your response!

 

Below is our existing and working iRule:

 

  when HTTP_REQUEST { 

 if { [HTTP::uri] == "/" } { HTTP::redirect "http://[HTTP::host]/mrj" }

 elseif { [string tolower [HTTP::uri]] starts_with "/mrj" or [string tolower [HTTP::uri]] starts_with "/web" or [string tolower [HTTP::uri]] starts_with "/htmlb" }

     { pool pool-A }

   elseif { [string tolower [HTTP::uri]] starts_with "/abc" }

     { pool pool-B }

   elseif { [string tolower [HTTP::uri]] starts_with "/" }

     {reject}

}

 

If we modify it as below, will it work?

 

 

when HTTP_REQUEST {

 

set uri [getfield [HTTP::uri] "?" 2]

 

if { [HTTP::uri] == "/" } { HTTP::redirect "http://[HTTP::host]/mrj" }

 

elseif { $uri ends_with "/mrj/home/srt/portal/prtroot/com.dev.net.sendemail" } 

    { reject }

 

elseif { [string tolower [HTTP::uri]] starts_with "/mrj" or [string tolower [HTTP::uri]] starts_with "/web" or [string tolower [HTTP::uri]] starts_with "/htmlb" }

     { pool pool-A }

 

elseif { [string tolower [HTTP::uri]] starts_with "/abc" }

     { pool pool-B }

 

   elseif { [string tolower [HTTP::uri]] starts_with "/" }

     {reject}

}

 

 

Also, can you please help to understand why we need to put "2" in set uri [getfield [HTTP::uri] "?" 2] ??

 

And, in case if we want to reject anything after sendemail i.e /mrj/home/srt/portal/prtroot/com.dev.net.sendemail*, how that can be achieved.

 

 

Hello NetWork.

 

Actually the previous sentence has a mistake. It should be like this.

set uri [getfield [HTTP::uri] "?" 1]

This is used to remove de Query parameter of the URI. For example if you receive something like this:

/mrj/home/srt/portal/prtroot/com.dev.net.sendemail?myuser=john

 

Taking into account that you need to reject any URI related with

/mrj/home/srt/portal/prtroot/com.dev.net.sendemail*

 

Then you should use "starts_with" instead of "ends_with", and the sentence before would not be necessary.

 

Your iRule should be like this:

when HTTP_REQUEST { if { [HTTP::uri] == "/" } { HTTP::redirect "http://[HTTP::host]/mrj" } elseif { [string tolower [HTTP::uri]] starts_with "/mrj/home/srt/portal/prtroot/com.dev.net.sendemail" } { reject } elseif { [string tolower [HTTP::uri]] starts_with "/mrj" or [string tolower [HTTP::uri]] starts_with "/web" or [string tolower [HTTP::uri]] starts_with "/htmlb" } { pool pool-A } elseif { [string tolower [HTTP::uri]] starts_with "/abc" } { pool pool-B } elseif { [string tolower [HTTP::uri]] starts_with "/" } {reject} }

Please, if this was helpful don't forget to mark my answer as 'the best' to help me for the contribution.

 

Regards,

Dario.

Regards,
Dario.

NetWork
Nimbostratus
Nimbostratus

Hi Dario,

 

We have tested in our customer environment, it works as expected.

 

Many thanks for your help!