Forum Discussion

david0512_20548's avatar
david0512_20548
Icon for Nimbostratus rankNimbostratus
Nov 13, 2013

drop incoming http requests to URI if external IP

Hi Guys

 

New to i-rules so would appreciate some pointers.

 

I have a situation where we have a pool of application servers that serve both private and public content (URIs). This pool is shared between virtual servers (which ultimately are private or publicly available). However due to the shared nature of the pool the situation exists where a crafted attack to the public virtual server could get access to a private URI on the pool memebers. In order to prevent this situation i need to configure some i-rules on the virtual server that drop requests if they are going to a private URI from a public (external) IP. At the same time acess to public URIs from public (External) IP still need to be available

 

So far i have the following but looking for advice on whether im on the right lines

 

when HTTP_REQUEST { if { [HTTP::host] equals "www.website.com" and [HTTP::uri] equals "/somethingspecific/index.html" and [matchclass [IP::remote_addr] equals $::PoolOfAllowedAddresses ]) } { pool poolofallowedservers } else { drop } }

 

Thanks

 

application delivery
deployment
devops
iRules
security

7 Replies

Sort By
  • david0512_20548's avatar
    david0512_20548
    Icon for Nimbostratus rankNimbostratus
    Nov 13, 2013
    Sorry guys...formatting went to pot...heres the i-rule


when HTTP_REQUEST {
if { [HTTP::host] equals "www.website.com" and [HTTP::uri] equals "/somethingspecific/index.html" and [matchclass [IP::remote_addr] equals $::PoolOfAllowedAddresses ]) } {
    pool poolofallowedservers
}
else {
    drop
}

    }

  • Philippe_CLOUP's avatar
    Philippe_CLOUP
    Icon for Employee rankEmployee
    Nov 13, 2013

    Hi David, if you are using a version prior to 11.4, you can use HTTP CLASSES, where you can deny everything except the HOST AND URI. In version 11.4 and after, CPM 5Central Policy Matching) can be used for this.

     

    But if you want to stay with an iRule approach, your iRule looks okay, except that you need to use a compliant call for the DATAGROUP you are using (if not, you will demote CMP). instead of $::Pool... you need to use the DATAGROUP Name directly : PoolOfAllowedAddresses

     

    I would also recommend using the "string tolower" command, to avoid some lowercase/uppercase issues.

     

    What do you want to do if multiple requests are carried by the same connection ? in the else, i think that "HTTP::respond" command would have been better.

     

    If the HTML page you are allowing is composed of multiple objects (images, ...), then you will have to allow them also.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 13, 2013

    Would it also make sense to just evaluate the URI and the client address?

    when HTTP_REQUEST {
    if { ( [string tolower [HTTP::uri]] starts_with "/somethingspecific" ) and not ( [class match [IP::client_addr] equals PoolOfAllowedAddresses] ) } {
        drop
         or HTTP::respond 200 content "Not allowed HTML content"
    }
}
  • david0512_20548's avatar
    david0512_20548
    Icon for Nimbostratus rankNimbostratus
    Nov 13, 2013

    great thanks guys....thats given me some pointers....evaluating the URL and client address seems the sensible way forward. With regards to the class match and matching a datagroup can i instead just define the addresses in the i-rule itself...for example

     

    ( [class match [IP::client_addr] equals 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16] )}

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 13, 2013

    With regards to the class match and matching a datagroup can i instead just define the addresses in the i-rule itself

    You can, but your evaluation will get a little complex with more than two IPs/subnets. Example:

    if { ( [IP::addr [IP::client_addr] equals 10.0.0.0/8] ) or ( [IP::addr [IP::client_addr] equals 172.16.0.0/12] ) or ( [IP::addr [IP::client_addr] equals 192.168.0.0/16] ) }

    where [IP::addr ] is the Boolean operator you would to evaluate IP addresses in an if clause.

    • Kevin_Stewart's avatar
      Kevin_Stewart
      Icon for Employee rankEmployee
      Nov 14, 2013
      I'd also add that if you're just defining RFC 1918 addresses in your data group, the BIG-IP already comes with one called "private_net".