Forum Discussion

jaskel_40663's avatar
jaskel_40663
Icon for Nimbostratus rankNimbostratus
Apr 29, 2008

Block specific URI

I have a need to block a specific uri as well as insert the client IP address into the HTTP header. I have the HTTP header insertion iRule and it works well:

 

 

when HTTP_REQUEST {

 

 

while {[HTTP::header exists "Client-IP"]} {

 

 

HTTP::header remove "Client-IP"

 

 

}

 

 

HTTP::header insert "Client-IP" [IP::client_addr]

 

 

}

 

 

My question is this: Can I add another iRule that has a 'when HTTP_REQUEST' directive to block a uri with specific text in it, to the VS, or should I just incorporate it into the above rule?

 

 

when HTTP_REQUEST {

 

 

if{[HTTP::uri] contains "server-status"} {

 

HTTP::respond 200 content "Error"

 

}

 

while {[HTTP::header exists "Client-IP"]} {

 

 

HTTP::header remove "Client-IP"

 

 

}

 

 

HTTP::header insert "Client-IP" [IP::client_addr]

 

 

}

 

 

It seems to me that this might still fall through to the while statement, plus, since I use the header insertion in many VSs, perhaps another iRule for specific VSs to block the uri would be better?

 

 

I appreciate any and all comments! Thanks so much.

 

 

-Jas

4 Replies

  • You can do it in one or two iRules, it really depends on if you want to reuse them in other places. If all this logic is on one virtual, then a single iRule might be easier to maintain. But if you will want to enable/disable one of the two functions then you might want to split them apart.

     

     

    If you use two iRules, make sure you assign the events the correct priority so that they will be processed in the order you specify. See the priority command in the iRules wiki for more details.

     

     

    -Joe
  • Thanks! I had to make the header insert a higher priority to avoid these errors:

     

    Apr 29 11:47:36 tmm tmm[17686]: 01220001:3: TCL error: Rule client-ip-insert - Operation not supported (line 1) invoked from within "HTTP::header insert "Client-IP" [IP::client_addr]"

     

    Apr 29 11:47:57 tmm tmm[17686]: 01220001:3: TCL error: Rule client-ip-insert - Operation not supported (line 7) invoked from within "HTTP::header insert "Client-IP" [IP::client_addr]"

     

     

    But it work perfectly. Thanks again!

     

     

    -Jas

     

     

     

  • I think you're getting the TCL error because you've already issued a redirect from one rule and then are trying to insert a header in the request. If you do combine the rules, you could add them to an if/else block and eliminate this error:

    
    when HTTP_REQUEST {
        Respond to requests for server-status
       if {[HTTP::uri] contains "server-status"} {
           Send HTTP 200 response
          HTTP::respond 200 content "Error"
       } else {
           Remove existing Client-IP headers
          while {[HTTP::header exists "Client-IP"]} {
             HTTP::header remove "Client-IP"
          }
           Insert the original client IP address in the Client-IP header
          HTTP::header insert "Client-IP" [IP::client_addr]
       }
    }

    Aaron
  • Why aren´t you using the X-Forward For header (normaly used to get Client-IP to the Server)

     

    This is used in the HTTP Profile you selected on your Virtual.

     

    Xforward For can be examined by all Webservers I know.

     

     

    Regards

     

     

    Wiesmann