iRule using URI classes to restrict access

The [HTTP::path] starts at the first "/" so you will either have to account for it in your matchclass or add to your iRule to look for it and remove it.

HTTP::uri [string map {"//" "/"} [HTTP::uri]]

Wiki Entry for [HTTP::path] - http://devcentral.f5.com/wiki/default.aspx/iRules/http__path.html

Posted By Michael Yates on 05/21/2010 03:04 PM

The [HTTP::path] starts at the first "/" so you will either have to account for it in your matchclass or add to your iRule to look for it and remove it.

HTTP::uri [string map {"//" "/"} [HTTP::uri]]

Wiki Entry for [HTTP::path] - http://devcentral.f5.com/wiki/default.aspx/iRules/http__path.html

Awesome, thanks, I'll test that later.

Is there any major advantage to performing the string map replace on the HTTP::uri vs the HTTP:path? We use extensive URIs and probably don't need to evaluate all the params in them.

Even more importantly, what about replacing any amount of slashes with a single one? How can I string map look for a series of slashes and replace them with only one?

string map can't recursively perform substitutions:

 

 

 

http://www.tcl.tk/man/tcl8.4/TclCmd/string.htmM34

 

 

string is only iterated over once, so earlier key replacements will have no affect for later key matches.

 

 

 

You could either loop string map while there aren't instances of // or you could use regsub to search for //+ and replace it with /. However, if you're trying to handle obfuscation techniques, there are many more to account for than multiple forward slashes. As you're whitelisting based on IP address, obfuscation attempts might not be so much of a concern though. See these recent posts for more examples:

 

 

irule based on ip and url

 

http://devcentral.f5.com/Forums/tabid/1082223/asg/50/showtab/groupforums/aff/5/aft/1171094/afv/topic/Default.aspx1171131

 

 

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=3090031324

 

 

Aaron