Error with or operator

Question

Hi,&nbsp;
&nbsp;I'm having issues with this iRule when trying to match multiple strings using the or operator.  Oddly enough I don't get the error in line 2 but I do in line 4.  Can you please tell me how I can accomplish this?&nbsp;&nbsp;
&nbsp;when HTTP_REQUEST { 
&nbsp;   if { ([string tolower [HTTP::uri]] contains "font") &amp;&amp; ([string tolower [HTTP::uri]] ends_with ".eot" || ".ttf") } { 
&nbsp;      log local0. "uri matches font and allowed extensions" 
&nbsp;      if { [string tolower [HTTP::header "Referer"]] contains ".abc.com" || ".xyz.com" || ""} { 
&nbsp;          set referer { [HTTP::header "Referer"] } 
&nbsp;          log local0. "referer variable set to $referer"
&nbsp;      } 
&nbsp;      else { HTTP::respond 403 content "403 - Forbidden" 
&nbsp;      log local0. "403 sent to client" }
&nbsp;      } 
&nbsp; }&nbsp;&nbsp;&nbsp;
&nbsp;Log messages:&nbsp;
&nbsp;Wed Apr 13 15:08:13 EDT 2011 tmm2 tmm2[4964] 01220001 TCL error: font_resource_restriction_403 HTTP_REQUEST - cant use non-numeric string as operand of || while executing if { [string tolower [HTTP::header Referer]] contains .abc.com or .xyz.com } { set referer { [HTTP::header Referer] } log loc... &nbsp;
&nbsp;Wed Apr 13 15:08:13 EDT 2011 tmm2 tmm2[4964] Rule font_resource_restriction_403 HTTP_REQUEST: uri matches font and allowed extensions &nbsp;&nbsp;
&nbsp;Thanks,
&nbsp;-Myles

minn_62043 · Answer

It's because of the empty string at the end of the "if" expression. You can try to use some other function for checking empty string.

hooleylist · Answer

Hi Myles, 
&nbsp;  
&nbsp; You need to perform the full check against the URI as string tolower doesn't accept multiple strings. 
&nbsp;  
&nbsp;    if { ([string tolower [HTTP::uri]] contains "font") &amp;&amp; ([string tolower [HTTP::uri]] ends_with ".eot" || ".ttf") } {  
&nbsp;  
&nbsp; -&gt; 
&nbsp;  
&nbsp;    if { ([string tolower [HTTP::uri]] contains "font") &amp;&amp; ([string tolower [HTTP::uri]] ends_with ".eot" || [string tolower [HTTP::uri]] ends_with ".ttf") } {  
&nbsp;  
&nbsp; If you're doing this many checks on the URI, you should save the lowercase value in a variable: 
&nbsp;  
&nbsp;    set uri [string tolower [HTTP::uri]]  
&nbsp;    if { ( $uri contains "font") &amp;&amp; ($uri ends_with ".eot" || $uri ends_with ".ttf") } {  
&nbsp;  
&nbsp; Aaron

hooleylist · Answer

Also note that the Referer header (and any other HTTP header) can easily be spoofed.  So I wouldn't recommend allowing access to sensitive resources based on that. 
&nbsp;  
&nbsp; http://en.wikipedia.org/wiki/Referrer_spoofing 
&nbsp;  
&nbsp; Aaron

mtobkes_64700 · Answer

Thanks all!&nbsp;
 &nbsp;
Here is my updated iRule:&nbsp;

&nbsp;when HTTP_REQUEST { 
&nbsp; set uri [string tolower [HTTP::uri]] 
&nbsp; if { ($uri contains "font") &amp;&amp; ($uri ends_with ".eot" || $uri ends_with ".ttf" || $uri ends_with ".svg" || $uri ends_with ".woff") } { 
&nbsp;  log local0. "uri matches font and allowed extensions"
&nbsp;  set headerstr [string tolower [HTTP::header "Referer"]]
&nbsp;  if { $headerstr contains ".abc.com" || $headerstr contains ".xyz.com" || $headerstr contains ""} {
&nbsp;   set referer { [HTTP::header "Referer"] } 
&nbsp;   log local0. "referer variable set to $referer" 
&nbsp;   set origin { [HTTP::header "Origin"] } 
&nbsp;   log local0. "origin variable set to $origin" 
&nbsp;  } else { HTTP::respond 403 content "403 - Forbidden" 
&nbsp;  log local0. "403 sent to client"
&nbsp;  }
&nbsp; }
&nbsp;}
&nbsp;when HTTP_RESPONSE { 
&nbsp; if { [$origin exists] } { 
&nbsp;  HTTP::header insert Access-Control-Allow-Origin [$origin] 
&nbsp; } 
&nbsp;}&nbsp;&nbsp;
&nbsp;If not the referer, what other option is there since referer is easily spoofed?  I am using the origin header in my responses but it is not always present in requests.&nbsp;&nbsp;
&nbsp;Thanks again for all your help!&nbsp;&nbsp;
&nbsp;Myles&nbsp;

hooleylist · Answer

Hi Myles, 
&nbsp;  
&nbsp; Does a legitimate client need to authenticate with the application in order to access these URIs?  If so, you could look for a successful authentication and use the applications session cookie (or generate your own in the iRule) as a way to restrict access.  If the application doesn't require a login, then what's the logic for who you want to allow and who you want to block? 
&nbsp;  
&nbsp; Also, your HTTP_RESPONSE code doesn't look valid.  $origin exists isn't a valid iRule command.  So I expect that would generate a runtime TCL error.  And inserting an HTTP header in a response won't change the client's behavior.  ie, it would trigger the client to include that header in a subsequent request.  If you want to do something like that you could set a cookie in the response using HTTP::cookie insert. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Error with or operator

5 Replies

Recent Discussions

About shun list for L7 DDoS?

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

ASM instance creation

Can iRule mask the payload content on event logs of security

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

Related Content

2. SYN Cookie: Operation

Security Operations Center - Helpers Behind the Scenes

Insights of F5 Distributed Cloud WAAP Events Export, New Operators and Trends features

A look on APT operations and using F5 BIG-IP features for mitigation

Understanding GTM Wide IP Operations