URI load balancing, rewriting, and security oh my!

Question

What I attempted to do with this first iRule was ensure that only server subnets could connect to a few URI's that would then load balance the traffic out. The second statement was intended to be a "if the criteria isn't matched in the first statement, check against this." That action would be to allow all subnets access to a URI that would have it's URI rewritten and then sent to a pool. Finally, if the incoming request is not matched, I send some HTML informing the user that they aren't permitted to access whatever site they are requesting.&nbsp;
 &nbsp;
when HTTP_REQUEST {&nbsp;
  if {[matchclass [IP::client_addr] equals allowed_networks] }{&nbsp;
      switch -glob [string tolower [HTTP::host][HTTP::uri]] {&nbsp;
         "*/uri1" { pool uri1-1234_pool }&nbsp;
         "*/uri2" { pool uri2-1234_pool }&nbsp;
      }&nbsp;
  }&nbsp;
  elseif {[HTTP::uri] starts_with "/uri3"}{&nbsp;
      HTTP::uri "/blah/uri3"&nbsp;
         pool uri3-5678_pool&nbsp;
  }&nbsp;
  else {&nbsp;
            log local0. "[IP::remote_addr] attempted to access [HTTP::uri]"&nbsp;
            (etc, etc)&nbsp;
  }&nbsp;
}&nbsp;
Getting to /uri3 worked all fine and dandy when I tested from my desktop, but if a server within the allowed_networks attempted to go to /uri3, it was receiving a TCP reset. It seems like the logic was matching the IP and then if the requested URI was outside of what is switched, it stops communication rather than continuing down the iRule to match the next item. Is it true that once one condition is met, that command set has to have an outcome otherwise the traffic will be dropped? When I went to a user meetup, I seem to recall the F5 rep talking about the differences between switch and if + elseif being switch sends traffic out once it has a match but an iRule written with if/elseif must parse the whole rule before sending the traffic off.&nbsp;
 &nbsp;
I ended up swapping the placement of the two statements and was able to get the expected outcome, it just seems confusing to me why it would stop after the first 'if' when the rest of the iRule had not yet been executed as was expected.&nbsp;
As a theoretical scenario, it seems ineffecient to me that you would have to write an iRule like this...&nbsp;
when HTTP_REQUEST {&nbsp;
  if {[matchclass [IP::client_addr] equals network_A] }{&nbsp;
      switch -glob [string tolower [HTTP::host][HTTP::uri]] {&nbsp;
         "*/uri1" { pool uri1-1234_pool }&nbsp;
         "*/uri2" { pool uri2-1234_pool }&nbsp;
         "*/uri3" { pool uri3-3456_pool }&nbsp;
         "*/uri4" { pool uri4-3456_pool }&nbsp;
      }&nbsp;
  }&nbsp;
  elseif {[matchclass [IP::client_addr] equals network_B] }{&nbsp;
      switch -glob [string tolower [HTTP::host][HTTP::uri]] {&nbsp;
         "*/uri3" { pool uri3-3456_pool }&nbsp;
         "*/uri4" { pool uri4-3456_pool }&nbsp;
      }&nbsp;
  }&nbsp;
  else {&nbsp;
            log local0. "[IP::remote_addr] attempted to access [HTTP::uri]"&nbsp;
            (etc, etc)&nbsp;
  }&nbsp;
}&nbsp;
...When you could write it with a few less lines like this:&nbsp;
 &nbsp;
when HTTP_REQUEST {&nbsp;
  if {[matchclass [IP::client_addr] equals network_A_and_B] }{&nbsp;
      switch -glob [string tolower [HTTP::host][HTTP::uri]] {&nbsp;
         "*/uri3" { pool uri3-3456_pool }&nbsp;
         "*/uri4" { pool uri4-3456_pool }&nbsp;
      }&nbsp;
  }&nbsp;
  elseif {[matchclass [IP::client_addr] equals network_A] }{&nbsp;
      switch -glob [string tolower [HTTP::host][HTTP::uri]] {&nbsp;
         "*/uri1" { pool uri1-1234_pool }&nbsp;
         "*/uri2" { pool uri2-1234_pool }&nbsp;
      }&nbsp;
  }&nbsp;
  else {&nbsp;
            log local0. "[IP::remote_addr] attempted to access [HTTP::uri]"&nbsp;
            (etc, etc)&nbsp;
  }&nbsp;
}&nbsp;
(Assuming what I found to be true, there is no possible way this final iRule would ever work as intended because in it's current form, you could never get to uri1 or 2 from network_A. If you swapped the placement of the statements, then uri3 and 4 would never work because of the same implicit "TCP reset")&nbsp;
Edit: Cleaned up iRules, missing a couple brackets.&nbsp;
 &nbsp;

what_lies_bene1 · Answer

Can you not just add */uri3 to the first section of the first irule you've listed?

ngaze_66812 · Answer

No, because the first section is limiting access through a matchclass, which in turn is referencing a list of IP subnets.

what_lies_bene1 · Answer

That's doesn't stop you from adding /uri3 to the first section although you'll have to keep that second section for /uri3 also. As I think you have, you could switch the first and second sections around and that should do the trick. To make it slightly more efficient you could also end both sections with a 'return' command to stop further processing of the iRule (if you switch them around) once a match is found.

mohamed_lrhazi · Answer

Is it true that once one condition is met, that command set has to have an outcome otherwise the traffic will be dropped?  
&nbsp; No. Where did you read that? in an iRule does not make any decision about traffic, the virtual server config will decide. 
&nbsp;  
&nbsp; I did not give your problem much thought... but why not use "if" instead of "elseif" ?

Forum Discussion

URI load balancing, rewriting, and security oh my!

4 Replies

Recent Discussions

F5 Rseries HA

Need advise to setup a policy on F5

F5 Rseries R2600 Tenant sizing

Can iRule mask the payload content on event logs of security

Pricing when used with aws waf

Related Content

Using ChatGPT for security and introduction of AI security

Active/Active load balancing examples with F5 BIG-IP and Azure load balancer

Auditing Security Policy Updates

HTTP Multipart and Security Implications

Using Distributed Application Security Policies in Secure Multicloud Networking Customer Edge Sites