Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Block from Certain URI Access with irule.

Hello All,

Please help me to write an irule for the following requirements. I have two accessible URL on a VIP (https://ip:address/#/login and https://ip:address/#/ologin) and want to block access from https://ip:address/#/ologin.

Is there another ways to block URL access except irule?

I was tried with many similar below rule, it wasn't worked for me.

when HTTP_REQUEST { if { [string tolower [HTTP::uri]] starts_with "/ologin" } { HTTP::respond 404 noserver return } }

Thanks

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You can block access using an LTM policy. This has rules in which you select URIs etc and is more performant than an iRule.

Regarding your iRule, you seem to have used starts_with but the URI doesn't start with /ologin, it starts with /#/. Maybe use equals or ends_with instead:

when HTTP_REQUEST { 
  if { [string tolower [HTTP::uri]] equals "/#/ologin" } { 
    HTTP::respond 404 noserver return 
  } 
}

You can also use HTTP::path which may be a bit more accurate as it doesn't contain the query string.

0
Comments on this Answer
Comment made 19-Sep-2018 by minphonemyatthu 1

Hi Pete

Thanks for your help. Unfortunately, the rule is still not work for me even I changed "[HTTP::uri] to [HTTP:path] and equals to ends_with".

And also, I tried with LTM policy as the below capture settings, the policy isn't working too.

Image Text

Image Text

Please mention me the wrong point of my configuration.

Thanks In Advance

0
Comment made 20-Sep-2018 by Pete White

OK, it seems that we are working blind here - how about if we add some logs to show us what is happening and allow us to fix it? Try this:

when HTTP_REQUEST { 
    log local0. "[IP::client_addr]: URI:[HTTP::uri] Path: [HTTP::path]" 
    if { [string tolower [HTTP::uri]] equals "/#/ologin" } { 
        log local0. "[IP::client_addr]: URI [HTTP::uri] matched "
        HTTP::respond 404 noserver return 
    } else {
        log local0. "[IP::client_addr]: URI [HTTP::uri] NOT matched "        
    }
}

And post the output of tailf /var/log/ltm

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I guess this is a web service and you don’t try with a browser!

If you try with a browser, string after # is not sent to the server!

0
Comments on this Answer
Comment made 19-Sep-2018 by minphonemyatthu 1

Hi Stanislas Piron,

Please let me ask some questions.

Do you mean the irule that included "#" will not effect to the virtual server from a browser?

Is there possible way to block string after # from F5?

Thanks. Any help will be greatly appreciated.

0
Comment made 20-Sep-2018 by Pete White

What Stanislas is saying is that within a browser having a # in the URI normally denotes an anchor. ie www.example.com/test/#anchor1. In this case, the URI is actually /test/ and the #anchor1 says that the browser should scroll down the page and go to the anchor1 tag (<a id='anchor1'>). This is often used within Javascript because it can detect the presence and use it to move to an area in the page without having to reload the whole page.

It's not easy to see exactly what is happening in your case so we probably need more logs to work out what is going on. First we see what is happening, then create an iRule, then create an LTM policy.

0
Comment made 20-Sep-2018 by minphonemyatthu 1

Hello Pete,

What kinds of logs you want to see?

Really appreciate on your comment.

0
Comment made 20-Sep-2018 by Pete White

I want to see what the URI and path are actually being set to and whether they are matched. Look at the iRule that I have added, it includes the log statements.

0
Comment made 20-Sep-2018 by minphonemyatthu 1

Hello Pete,

Good evening

I would like to show the log output from your rule. Please see it.

[Thu Sep 20 17:10:03.195 2018] Sep 20 17:07:03 secpro-f5lb01 info tmm[10301]: Rule /Common/BLOCK : 10.10.10.11: URI:/ Path: /

[Thu Sep 20 17:10:03.195 2018] Sep 20 17:07:03 secpro-f5lb01 info tmm[10301]: Rule /Common/BLOCK : 10.10.10.11: URI / NOT matched

[Thu Sep 20 17:10:03.204 2018] Sep 20 17:07:03 secpro-f5lb01 info tmm[10301]: Rule /Common/BLOCK : 10.10.10.11: URI:/assets/base.css Path: /assets/base.css

[Thu Sep 20 17:10:03.204 2018] Sep 20 17:07:03 secpro-f5lb01 info tmm[10301]: Rule /Common/BLOCK : 10.10.10.11: URI /assets/base.css NOT matched

[Thu Sep 20 17:10:03.204 2018] Sep 20 17:07:03 secpro-f5lb01 info tmm[10301]: Rule /Common/BLOCK : 10.10.10.11: URI:/main.e23048682f8ccc987587.bundle.js Path: /main.e23048682f8ccc987587.bundle.js

[Thu Sep 20 17:10:03.204 2018] Sep 20 17:07:03 secpro-f5lb01 info tmm[10301]: Rule /Common/BLOCK : 10.10.10.11: URI /main.e23048682f8ccc987587.bundle.js NOT matched

[Thu Sep 20 17:10:03.211 2018] Sep 20 17:07:03 secpro-f5lb01 info tmm1[10301]: Rule /Common/BLOCK : 10.10.10.11: URI:/inline.3246bff3145903a33876.bundle.js Path: /inline.3246bff3145903a33876.bundle.js

[Thu Sep 20 17:10:03.211 2018] Sep 20 17:07:03 secpro-f5lb01 info tmm[10301]: Rule /Common/BLOCK : 10.10.10.11: URI:/assets/busy.css Path: /assets/busy.css

[Thu Sep 20 17:10:03.211 2018] Sep 20 17:07:03 secpro-f5lb01 info tmm1[10301]: Rule /Common/BLOCK : 10.10.10.11: URI /inline.3246bff3145903a33876.bundle.js NOT matched

[Thu Sep 20 17:10:03.211 2018] Sep 20 17:07:03 secpro-f5lb01 info tmm[10301]: Rule /Common/BLOCK : 10.10.10.11: URI /assets/busy.css NOT matched

[Thu Sep 20 17:10:03.211 2018] Sep 20 17:07:03 secpro-f5lb01 info tmm1[10301]: Rule /Common/BLOCK : 10.10.10.11: URI:/polyfills.c4a944aa9b41b15ecf87.bundle.js Path: /polyfills.c4a944aa9b41b15ecf87.bundle.js

[Thu Sep 20 17:10:03.211 2018] Sep 20 17:07:03 secpro-f5lb01 info tmm1[10301]: Rule /Common/BLOCK : 10.10.10.11: URI /polyfills.c4a944aa9b41b15ecf87.bundle.js NOT matched

[Thu Sep 20 17:10:03.211 2018] Sep 20 17:07:03 secpro-f5lb01 info tmm1[10301]: Rule /Common/BLOCK : 10.10.10.11: URI:/styles.d41d8cd98f00b204e980.bundle.css Path: /styles.d41d8cd98f00b204e980.bundle.css

[Thu Sep 20 17:10:03.219 2018] Sep 20 17:07:03 secpro-f5lb01 info tmm1[10301]: Rule /Common/BLOCK : 10.10.10.11: URI /styles.d41d8cd98f00b204e980.bundle.css NOT matched

[Thu Sep 20 17:10:03.219 2018] Sep 20 17:07:03 secpro-f5lb01 info tmm1[10301]: Rule /Common/BLOCK : 10.10.10.11: URI:/vendor.66425f9b1ab04758dd57.bundle.js Path: /vendor.66425f9b1ab04758dd57.bundle.js

[Thu Sep 20 17:10:03.219 2018] Sep 20 17:07:03 secpro-f5lb01 info tmm1[10301]: Rule /Common/BLOCK : 10.10.10.11: URI /vendor.66425f9b1ab04758dd57.bundle.js NOT matched

[Thu Sep 20 17:10:03.219 2018] Sep 20 17:07:03 secpro-f5lb01 info tmm[10301]: Rule /Common/BLOCK : 10.10.10.11: URI:/assets/img/bg_outline.png Path: /assets/img/bg_outline.png

[Thu Sep 20 17:10:03.219 2018] Sep 20 17:07:03 secpro-f5lb01 info tmm[10301]: Rule /Common/BLOCK : 10.10.10.11: URI /assets/img/bg_outline.png NOT matched

[Thu Sep 20 17:10:03.219 2018] Sep 20 17:07:04 secpro-f5lb01 info tmm1[10301]: Rule /Common/BLOCK : 10.10.10.11: URI:/session/getAnnouncement Path: /session/getAnnouncement

[Thu Sep 20 17:10:03.226 2018] Sep 20 17:07:04 secpro-f5lb01 info tmm1[10301]: Rule /Common/BLOCK : 10.10.10.11: URI /session/getAnnouncement NOT matched

[Thu Sep 20 17:10:03.226 2018] Sep 20 17:07:04 secpro-f5lb01 info tmm1[10301]: Rule /Common/BLOCK : 10.10.10.11: URI:/favicon.ico Path: /favicon.ico

[Thu Sep 20 17:10:03.226 2018] Sep 20 17:07:04 secpro-f5lb01 info tmm1[10301]: Rule /Common/BLOCK : 10.10.10.11: URI /favicon.ico NOT matched

Thanks

Please let me know if you need more.

0
Comment made 20-Sep-2018 by Stanislas Piron 10481

So, the request never contain # and following string...

0
Comment made 20-Sep-2018 by Pete White

So was the URL that you initially tried to go to https://ip:address/#/ologin ?

Maybe you can test it with just a curl command to see just the one request.

0
Comment made 20-Sep-2018 by minphonemyatthu 1

Hell Pete,

Yes, the URL that I initially tried to go is https://ip:address/#/ologin.

And also Curl command gives the same output.


Thanks

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I'm pretty sure '#' is not a valid character for URI paths which is why, as Stanislas Piron mentioned, anything after the '#' is not sent to the server.

0