Forum Discussion

cgwin12's avatar
cgwin12
Icon for Nimbostratus rankNimbostratus
Apr 25, 2024

Need help on i-rule to specific uri path

Hello All,

 

I'm working on an i-rule that I need to do the following; given a set of specific source ip addresses, only allow access to specific uris of /ws/rest/external*. 

 

I set the specific source addresses in a data group, referencing the data group. When I apply this i-rule to the virtual server, on testing I get an Insecure HTTPS message. I am on version 15.8.1.2. We plan to upgrade to most stable release on 16 soon. 

 

Any suggestions on what I can do with the i-rule posted below? Thanks in advance.

when CLIENT_ACCEPTED {
  if { [class match [IP::client_addr] equals Boomi_external] } {
     pool esd-bmapi-dc1-as01-f5.lanl.gov_8077_pool
 }
}

when HTTP_REQUEST {
if ![HTTP::has_responded] {
if { ([HTTP::host] equals "apigway-d.lanl.gov" or [HTTP::host] equals "apigway-d.lanl.gov") } {
    if { [HTTP::uri] starts_with "/ws/rest/external*    " || [HTTP::uri] starts_with "/ws/rest/external*" } {
    pool esd-bmapi-dc1-as01-f5.lanl.gov_8077_pool
        }
    else { reject }
    return
        }
        } 
    }

 

 

 

 

 

 

 

 

 

application delivery
event
security

2 Replies

Sort By
  • SanjayP's avatar
    SanjayP
    Icon for Nacreous rankNacreous
    Apr 26, 2024

    Try below

    when HTTP_REQUEST {
	    switch -glob [string tolower [HTTP::uri]] {
	        "/ws/rest/external*" {
            if { [class match [IP::client_addr] equals Boomi_external] } {
		    pool esd-bmapi-dc1-as01-f5.lanl.gov_8077_pool
			} else {
             reject
              }
	        } default {
            drop
	      }
         }
      }

     

  • AaronJB's avatar
    AaronJB
    Icon for SIRT rankSIRT
    Apr 26, 2024

    The insecure HTTPS message is very unlikely to have been caused by your iRule - most likely it is because the server IP/name you are going to in order to reach the Virtual Server does not match the CN in the SSL certificate returned by the pool member.

     

    Regarding the iRule; I strongly suggest using [HTTP::uri -normalized] to ensure that your iRule cannot be bypassed by encoding slashes or other bypasses (e.g. //, //./, %2F etc) (everyone should be doing this, really!). Other than that, Sanjay's rule above should be more efficient.