Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Need help to whitelist URI's

k20
Nimbostratus
Nimbostratus

‎04-Dec-2020 10:13

I need some help with the iRule. The goal is to allow users to access a limited number of URI's from the Internet but open to all for internal users.

 

I have created a datagroup that contains the internal subnets called internal_subnets

 

Here's my iRule

 

when HTTP_REQUEST {

if { [class match [IP::client_addr] equals internal_subnets] }{

   pool app_80_pool

 }

switch -glob [HTTP::host] {

  "app.com" {

       pool app_80_pool

   }

 }

 if {[HTTP::uri] starts_with "/foo/combined.js*" or \

    [HTTP::uri] starts_with "/foo/css/*" or \

    [HTTP::uri] starts_with "/foo/desktopreset" or \

    [HTTP::uri] starts_with "/foo/doc/*" or \

    [HTTP::uri] starts_with "/foo/error404.html" or \

    [HTTP::uri] starts_with "/foo/external/*" or \

    [HTTP::uri] starts_with "/foo/favicon.ico" or \

    [HTTP::uri] starts_with "/foo/home.jsf" or \

    [HTTP::uri] starts_with "/foo/images/*" or \

    [HTTP::uri] starts_with "/foo/include/*" or \

    [HTTP::uri] starts_with "/foo/javax.faces.resource/*" or \

    [HTTP::uri] starts_with "/foo/login.jsf" or \

    [HTTP::uri] starts_with "/foo/resources/*" or \

    [HTTP::uri] starts_with "/foo/scripts/*" or \

    [HTTP::uri] starts_with "/foo/ui/*" or \

    [HTTP::uri] starts_with "/foo/user/*" }{

      pool app_80_pool

      }

else {

       HTTP::redirect "http://app.com/sorry.html"

 }

}

 

Nothing works. What did I do wrong here?

Any help would be appreciated.

Labels:
0 Kudos
11 REPLIES 11

Enes_Afsin_Al
MVP
MVP

‎04-Dec-2020 11:56

Hi k20,

 

Can you try this iRule?

when HTTP_REQUEST { if { [class match [IP::client_addr] equals internal_subnets] } { pool app_80_pool } else { switch -glob [HTTP::uri] { "/foo/combined.js*" - "/foo/css/*" - "/foo/desktopreset" - "/foo/doc/*" - "/foo/error404.html" - "/foo/external/*" - "/foo/favicon.ico" - "/foo/home.jsf" - "/foo/images/*" - "/foo/include/*" - "/foo/javax.faces.resource/*" - "/foo/login.jsf" - "/foo/resources/*" - "/foo/scripts/*" - "/foo/ui/*" - "/foo/user/*" - "/sorry.html" { pool app_80_pool } default { HTTP::redirect "http://app.com/sorry.html" } } } }

 

0 Kudos

k20
Nimbostratus
Nimbostratus
In response to Enes_Afsin_Al

‎04-Dec-2020 13:01

Just tried your suggestion. However, when I go to the http://app.com it takes me to the sorry.html which is not what I want.

 

 

0 Kudos

Enes_Afsin_Al
MVP
MVP

‎04-Dec-2020 13:51

If you want external network clients access to app.com/*

when HTTP_REQUEST { if { [class match [IP::client_addr] equals internal_subnets] || [HTTP::host] equals "app.com" } { pool app_80_pool } else { switch -glob [HTTP::uri] { "/foo/combined.js*" - "/foo/css/*" - "/foo/desktopreset" - "/foo/doc/*" - "/foo/error404.html" - "/foo/external/*" - "/foo/favicon.ico" - "/foo/home.jsf" - "/foo/images/*" - "/foo/include/*" - "/foo/javax.faces.resource/*" - "/foo/login.jsf" - "/foo/resources/*" - "/foo/scripts/*" - "/foo/ui/*" - "/foo/user/*" { pool app_80_pool } default { HTTP::redirect "http://app.com/sorry.html" } } } }

0 Kudos

k20
Nimbostratus
Nimbostratus
In response to Enes_Afsin_Al

‎04-Dec-2020 14:15

OK now external users can get to http://app.com which is great. However, when I type some random URI's other then the ones listed in the iRule such as:

 

http://app.com/<some_random_string>

 

it doesn't redirect to the sorry.html page. I want it to redirect to the sorry.html page if nothing else matches all of the conditions above (i.e. the internal subnets, the homepage and all URI's in that whitelist).

 

 

0 Kudos

Enes_Afsin_Al
MVP
MVP
In response to k20

‎04-Dec-2020 14:24

In below rule, you may need more uri for switch list. for example "index.php".

You should add them in switch func.

when HTTP_REQUEST { if { [class match [IP::client_addr] equals internal_subnets] } { pool app_80_pool } else { switch -glob [HTTP::uri] { "/" - "/sorry.html" - "/foo/combined.js*" - "/foo/css/*" - "/foo/desktopreset" - "/foo/doc/*" - "/foo/error404.html" - "/foo/external/*" - "/foo/favicon.ico" - "/foo/home.jsf" - "/foo/images/*" - "/foo/include/*" - "/foo/javax.faces.resource/*" - "/foo/login.jsf" - "/foo/resources/*" - "/foo/scripts/*" - "/foo/ui/*" - "/foo/user/*" { pool app_80_pool } default { HTTP::redirect "http://app.com/sorry.html" } } } }

 

0 Kudos

k20
Nimbostratus
Nimbostratus
In response to k20

‎04-Dec-2020 14:35

This new switch "/" - seems to break everything. The list of URI's above is inclusive. There shouldn't be any more to add.

 

0 Kudos

Samir
MVP
MVP

‎04-Dec-2020 22:15 - last edited on ‎24-Mar-2022 02:13 by Fog

Above  iRule is correct, You can remove the statement which is creating issue.

If i will be at you place then can try negative scenario and short irule for fun. You can try to use URI_DB class to add and remove the URI.

 

when HTTP_REQUEST { if { !([class match [IP::client_addr] equals internal_subnets]) && ([class match [HTTP::uri] starts_with URI_DB) } { HTTP::redirect "http://app.com/sorry.html" } else { pool app_80_pool } }

Add the all uri in URI_DB

 

"/sorry.html"

"/foo/combined.js*"

"/foo/css/*"

"/foo/desktopreset"

 

Please tune iRule per requirements.

 

Thanks

 

 

0 Kudos

k20
Nimbostratus
Nimbostratus
In response to Samir

‎05-Dec-2020 00:21

I really appreciate your suggestion. If I understand your iRule correctly, our external users will be having trouble getting to those specific URI's inside the URI_DB, which is not what I want. Let me try to explain my end game here.

 

  1. There will be no restrictions to access the app for internal users whatsoever. We use source IP addresses to identify them.
  2. External users can only have access to a small subset of the app with some restrictions. They will be allowed to access only the URI's defined under the "switch -glob" inside the iRule (i.e. those /foo/....URI's you see in the original post) and they are also allowed access the main page "app.com"
  3. Finally, if the external users try to access stuff that are not allowed, we want to send them to the sorry.html page.

 

This is essentially like if you're inside my house, you can use whatever stuff you want. If you're outside, you can only use my bucket and shovel. If you try to borrow something else, I'm sorry. 🙂

 

I couldn't get the last condition to work.

0 Kudos

k20
Nimbostratus
Nimbostratus
In response to Samir

‎05-Dec-2020 00:36

Hey @Samir I think you have a good point. Looks like I misread your iRule. It seems to match my goal. Let me try that and will let you know how it goes. Wish me luck.

0 Kudos

k20
Nimbostratus
Nimbostratus
In response to Samir

‎05-Dec-2020 01:04

Just tried it and no luck. If I go to the home page app.com, it redirects me to the sorry.html. By the way, your script is missing the square bracket at the end of the URI_DB. It seems like an easy one. Oh boy, I couldn't get it to work.

.

0 Kudos

k20
Nimbostratus
Nimbostratus
In response to Samir

‎05-Dec-2020 01:38

I have reversed the logic back to the original but now using datagroup instead of the "switch -glob" meaning,

 

when HTTP_REQUEST {

   if { [class match [IP::client_addr] equals internal_subnets] || [class match [HTTP::uri] starts_with URI_DB] || [HTTP::host] equals "app.com"} {

   pool app_80_pool

   }

   else {

      HTTP::redirect "http://app.com/sorry.html"

   }

}

 

Now, everything works except the redirect which never works. However, I have just noticed that if I don't use DNS and use IP instead, the redirect works just fine. Can you explain why?

0 Kudos
Copyright © 2023 Khoros, LLC