Forum Discussion

kgaigl's avatar
kgaigl
Icon for Cirrocumulus rankCirrocumulus
Dec 15, 2022

IRule to block URL/URI from Data Group

Hello,

we've a VS with about 20 URLs, now I've to block Login-Sites dor the most but not all URL's, for eg:

www.somesite1.org/login

www.somesite2.org/member

www.somesite2.org/login

I'd like to put all the Adresses (about 30-40) in a Data Droup List with strings and reference this List in a IRule with a Respond like "HTTP::respond 403"

Could you help me with a Syntax? Should be Case insensitive.

Thank you

5 Replies

  • here is an example:

    ltm data-group internal example_uri {
    records {
    login { }
    member { }
    }
    type string
    }

    when HTTP_REQUEST {
    if {[matchclass [string tolower [HTTP::uri]] contains example_uri]}{
    HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
    log local0. "deny URI: [HTTP::uri]"
    }
    }

  • kgaigl's avatar
    kgaigl
    Icon for Cirrocumulus rankCirrocumulus

    Hi  mihaic,

    thank you, but I need always the combination of [HTTP::host] and [HTTP::uri], becaus on some hosts the URI "login" should be allowed.

    I guess the Data Group file I can manage, but the Syntax of the combination [HTTP::host] and [HTTP::uri] I'm not shure

  • when HTTP_REQUEST {
    if { ([HTTP::host] == "www.xyz.com") and ([matchclass [string tolower [HTTP::uri]] contains example_uri]) }{
    HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
    log local0. "deny URI: [HTTP::uri]"
    }
    }

  • kgaigl's avatar
    kgaigl
    Icon for Cirrocumulus rankCirrocumulus

    Hi mihaic

    with

    when HTTP_REQUEST {
    if { [class match [string tolower [HTTP::host][HTTP::uri]] equals BLOCK_LOGIN_SITES] } {
    HTTP::respond 403
    }
    }

    it's working

    thank you

  • Hi kgaigl , 

    this should work. Note that I'm not putting URI in lowercase so /login and /LOGIN will require two different matches (they would be two different URLs indeed anyways) 

     

    when HTTP_REQUEST {
     set req "[string tolower [HTTP::host]][HTTP::uri]"
     if {[class match $req eq unallowed_datagroup]}{ HTTP::respond 403 }
    }
    ltm data-group internal unallowed_datagroup {
        records {
            www.somesite1.org/login { }
            www.somesite2.org/member { }
            www.somesite2.org/login { }
        }
        type string
    }