Forum Discussion

Dave_21507's avatar
Dave_21507
Icon for Nimbostratus rankNimbostratus
Oct 01, 2009

HTTP::uri starts_with - how to make it case insensitive?

Hello everyone,

 

I have the following iRule in place and it works great, but discovered that a "workaround" is using onlineusers.aspx or any other combination of case (e.g., OnLineUSerS.ASPx wouldn't redirect to login.aspx).

 

 

 

when HTTP_REQUEST {

 

if { ( [HTTP::uri] starts_with "/OnlineUsers.aspx" )

 

and ( not [ matchclass [IP::client_addr] equals $::ips_irule ] ) }{

 

HTTP::redirect https://[HTTP::host]/login.aspx}}

 

 

 

Is there a way to modify it so it's not case sensitive?

 

Thanks!
application delivery
dev
devops
iRules

6 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Oct 01, 2009
    Hi,

     

     

    You can set the URI to lower case before evaluating it:

     

     

    [string tolower [HTTP::uri]]

     

     

    Aaron
  • Dave_21507's avatar
    Dave_21507
    Icon for Nimbostratus rankNimbostratus
    Oct 01, 2009
    All set!!

     

     

    To help others, here is what I came up with (first I created a new data group for strings called allowed_uris and put /onlineusers.aspx in there):

     

     

    when HTTP_REQUEST {

     

    if { ( [matchclass [string tolower [HTTP::uri]] starts_with $::allowed_uris] )

     

    and ( not [ matchclass [IP::client_addr] equals $::ips_irule ] ) }{

     

    HTTP::redirect https://[HTTP::host]/login.aspx

     

    }

     

    }

     

     

    Thanks again
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Oct 01, 2009
    There is an issue with this in that someone could make a request to /doesnt_exist/../allowed_uri/whatever and that would bypass your rule logic and go to the default pool. The webserver would normalise the requested URI to /allowed_uri.

     

     

    You can check a recent post for more discussions on this:

     

    http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=30900&ptarget=30901

     

     

    Aaron
  • Dave_21507's avatar
    Dave_21507
    Icon for Nimbostratus rankNimbostratus
    Oct 01, 2009
    Ahh yes that's an interesting point you bring up. However, I'm not using this irule to direct users to different application pools. Using it simply to force people who are trying to access a certain page, and aren't coming from certain IP's to a login screen.

     

     

    I tested with http://hostname/doesnt_exist/../allowed_uri/whatever and it took me to the login page, so it is working as designed.

     

     

    Is there something I'm missing? If so, please let me know.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Oct 02, 2009
    Are you trying to prevent certain clients from ever accessing specific URIs? If so, the iRule could be bypassed using obfuscation techniques.

     

     

    Aaron