Forum Discussion

jkstraw_44238's avatar
jkstraw_44238
Icon for Nimbostratus rankNimbostratus
Jun 18, 2008

regex in iRules

Hello,

Please be patient with me - I am not the iRule guy on our team 🙂

We are using iRules primarily for redirecting URI's to specific pools - we do this with something similar to: 

 
 when HTTP_REQUEST { 
   switch -glob [string tolower [HTTP::uri]] { 
     "/site1*" - 
     "/site2*" - 
     "/site3*" - 
     "/site4*" { 
       pool Test_Pool 
     } 
   } 
 }

We have found that in our environment there are a number of security related issues (mainly fingerprinting) we need to address.

I would like to follow the philosophy of "block everything and allow only what is required" instead of being reactive and "allowing everything and blocking what problems as they occur".

To accomplish this I was hoping it would be possible to use regular expressions to accomplish this. That is - the regular expression would only allow "/site1*" but not "//site1*".

Is something like this possible with iRules?

application delivery
dev
devops
iRules

1 Reply

Sort By
  • Joe_Pruitt's avatar
    Joe_Pruitt
    Jun 18, 2008
    The answer to your question is yes, you can use regex's when needed. This can be done with the regexp command or the -regex option for switch. But, with that being said, I would highly suggest trying to find alternate ways to do things like this without full blown regular expressions.

    Your example of allowing "/site1*" but not "//site1*" is actually what your iRule above is doing. You are specifying to start a string with "/site1" and allow anything after that initial string. Since "//site1*" doesn't start with "/site1" then it will not pass through. Am I missing something here?

    The -glob option in the switch command, as well as the "string match" command are great options for using a wildcard or range of characters without the need for the full blown regex engine.

    Now, if you really want to reject all other requests not starting with "/site1" then you might want to add a default clause in your switch statement and explicitly issue a reject statement in there. 

     when HTTP_REQUEST {  
   switch -glob [string tolower [HTTP::uri]] {  
     "/site1*" -  
     "/site2*" -  
     "/site3*" -  
     "/site4*" {  
       pool Test_Pool  
     } 
     default { 
       reject 
     }  
   }  
 }

    Let me know if I'm missing anything or you need more clarification or examples and I'll be glad to help.

    -Joe