Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

irulse for url limit

Hi I have a host "http://ocean.jiedaibao.com.cn" load balance through F5 LTM, but I do not want this URL "http://ocean.jiedaibao.com.cn/admin/system/login/?redirect=/admin" through F5 LTM . The url contain "login" need to be limited ; Who can give me a irulse to do this ?

Thanks!!

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
when HTTP_REQUEST {
    if {[string tolower [HTTP::query]] contains "redirect=/admin"} {
        HTTP::respond 404
    }
}
0
Comments on this Answer
Comment made 26-Apr-2016 by Pete White
Note that this specifically checks for redirect=/admin rather than just admin. I'm sure you can see how to change it if required. As you can see, it performs a 404 but you can decide what else you want to do - redirect, send content, etc
0
Comment made 26-Apr-2016 by yuanqiang 378
@pete white you answer solved my question ,thank you!
0
Comment made 26-Apr-2016 by yuanqiang 378
@Pete 、 @theo,the same question my customer wants to allow office network visit the url "http://ocean.jiedaibao.com.cn/admin/system/login/?redirect=/admin",office network ip is "114.242.234.225-114.242.234.254 , 36.110.61.97-36.110.61.110 ",other ip need to be limited ,how to change the irules that you give ?
0
Comment made 27-Apr-2016 by Pete White
This is a common issue - it is often dealt with by using a datagroup within the F5. You add networks/hosts that you want to alow access to the url to the datagroup. in this example the name of the datagroup is set in the RULE_INIT event. Added as a new answer to allow me to format the iRule correctly.
-1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

If by limited you mean rejected:

when HTTP_REQUEST {
    if { [HTTP::uri] contains "login" } {
        HTTP::close
    }
}
0
Comments on this Answer
Comment made 26-Apr-2016 by yuanqiang 378
@ theo, thank you for your answer ,I will try it for this
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

If you want one uri to come to the F5 and another uri to bypass the F5, that's impossible, since a DNS server only gets a host name name and the uri is at a different (higher) layer. The best you could do is have the F5 send the traffic from one uri to one pool, and another uri to a different pool, but it still has to traverse the F5.

If your meaning is different, please describe more clearly.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Updated to include checking of source IP address:

when RULE_INIT {
    set static::admin_datagroup "admin_datagroup"
}
when HTTP_REQUEST {
    if {[string tolower [HTTP::query]] contains "redirect=/admin"} {
        if { ! [class match [IP::client_addr] equals $static::admin_datagroup] } {
            HTTP::respond 404
        }
    }
}
0
Comments on this Answer
Comment made 27-Apr-2016 by Manjunath Murugan 0
Nice one White ... Thank you ...
0
Comment made 27-Apr-2016 by yuanqiang 378
@pete white, thank you
0
Comment made 27-Apr-2016 by Jie 2038
Be careful when you use the irule for the purpose of enforcing an acl, for in this case, the query string can be encoded.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You can replace condition

[string tolower [HTTP::query]] contains "redirect=/admin"

with (this will search redirect parameter in query string and filter on the parameter value)

[string to lower [URI::query [HTTP::uri] redirect]] starts_with "/admin"

or

[string to lower [URI::query [HTTP::uri] redirect]] equals "/admin"

One other recommendation is to filter on HTTP::path instead of HTTP::uri if login string is in path part of the URI.

The final iRule can be:

when RULE_INIT {
    set static::admin_datagroup "admin_datagroup"
}
when HTTP_REQUEST {
    if {([HTTP::path] ends_with "/login/") && ([string to lower [URI::query [HTTP::uri] redirect]] starts_with "/admin")&& ! [class match [IP::client_addr] equals $static::admin_datagroup]} {
            HTTP::respond 404
    }
}
0