Hello all. I am new to iRules and I am not sure how to test what I've done so far without impacting production so I thought I'd ask here first to review my logic. Logic- Create an iRule to disable some sub-directories from external IPs Sud-directory examples /aws/ /PP/ What I've come up with. Comment - subDir is defined in the GUI under Data Groups when HTTP_REQUEST { if { (![class match [IP::remote_addr] equals private_net]) and [class match [ [HTTP::uri]] equals subDir ]} { drop } } I am thinking that I should use "equals" and probably use "contains" Thoughts?

Try this irule when HTTP_REQUEST { set net_code [class match -value -- [IP::client_addr] equals internal_network_dg] set app_path [class match -value -- [string tolower [HTTP::path]] contains [string tolower private_urls_dg]] if {$app_path eq "p" and $net_code ne "a"} { HTTP::respond 404 content " 404 Not Found " } } You will need to create 2 datagroups internal_network_dg is used to track your internal IP addresses private_urls_dg is used to track your private URLs internal_network_dg needs to be datagroup type "address" where you list the allowed addresses like 10.0.0.0/8 and an entry of a to tell the irule that they are allowed. private_urls_dg needs to be a datagroup type string with the private url or a unique portion of it /admin/ and an indicator of p to tell the irule that its private. You can change the values to anything that you choose as long as you change them in the rule and the datagroups. I got this from Kevin quite a while ago so thanks to him!

an indicator of p to tell the irule that its private Thanks! I do not get this part though. What is an indicator of p?

Create iRule to prevent external users from hitting directories

13 Replies

M451_315544

Cirrus

Mar 28, 2017

2nd attempt.

when HTTP_REQUEST {
   if { (![class match [IP::remote_addr] contains private_net]) and [class match [ [HTTP::uri]] contains subdir ]} {
      drop
   }  
}

jcline_41716
Nimbostratus
Mar 28, 2017
Try this irule

when HTTP_REQUEST { set net_code [class match -value -- [IP::client_addr] equals internal_network_dg] set app_path [class match -value -- [string tolower [HTTP::path]] contains [string tolower private_urls_dg]] if {$app_path eq "p" and $net_code ne "a"} { HTTP::respond 404 content "

404 Not Found

" } }

You will need to create 2 datagroups internal_network_dg is used to track your internal IP addresses private_urls_dg is used to track your private URLs

internal_network_dg needs to be datagroup type "address" where you list the allowed addresses like 10.0.0.0/8 and an entry of a to tell the irule that they are allowed.

private_urls_dg needs to be a datagroup type string with the private url or a unique portion of it /admin/ and an indicator of p to tell the irule that its private. You can change the values to anything that you choose as long as you change them in the rule and the datagroups.

I got this from Kevin quite a while ago so thanks to him!
- M451_315544
  Cirrus
  Mar 28, 2017
  an indicator of p to tell the irule that its private
  
  Thanks! I do not get this part though. What is an indicator of p?
- jcline_41716
  Nimbostratus
  Mar 28, 2017
  This iRule is looking for a value of "p" in the private_urls_dg data group list that you will create for it.
  
  You can create a data group list under the LocalTraffic/iRules menus.
- jcline_41716
  Nimbostratus
  Mar 28, 2017
  The iRule that I posted strings everything to lower case. iRules are case sensitive so an entry of /PP/:=a would not match on the iRule that I posted and wouldn't be blocked. If you use my rule then all entries to the datagroups need to be in lower case.
jcline
Nimbostratus
Mar 28, 2017
Try this irule

when HTTP_REQUEST { set net_code [class match -value -- [IP::client_addr] equals internal_network_dg] set app_path [class match -value -- [string tolower [HTTP::path]] contains [string tolower private_urls_dg]] if {$app_path eq "p" and $net_code ne "a"} { HTTP::respond 404 content "

404 Not Found

" } }

You will need to create 2 datagroups internal_network_dg is used to track your internal IP addresses private_urls_dg is used to track your private URLs

internal_network_dg needs to be datagroup type "address" where you list the allowed addresses like 10.0.0.0/8 and an entry of a to tell the irule that they are allowed.

private_urls_dg needs to be a datagroup type string with the private url or a unique portion of it /admin/ and an indicator of p to tell the irule that its private. You can change the values to anything that you choose as long as you change them in the rule and the datagroups.

I got this from Kevin quite a while ago so thanks to him!
- M451_315544
  Cirrus
  Mar 28, 2017
  an indicator of p to tell the irule that its private
  
  Thanks! I do not get this part though. What is an indicator of p?
- jcline
  Nimbostratus
  Mar 28, 2017
  This iRule is looking for a value of "p" in the private_urls_dg data group list that you will create for it.
  
  You can create a data group list under the LocalTraffic/iRules menus.
- jcline
  Nimbostratus
  Mar 28, 2017
  The iRule that I posted strings everything to lower case. iRules are case sensitive so an entry of /PP/:=a would not match on the iRule that I posted and wouldn't be blocked. If you use my rule then all entries to the datagroups need to be in lower case.

Forum Discussion

Create iRule to prevent external users from hitting directories

13 Replies

Recent Discussions

Web acceleration

What are the different phases in DevOps?

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Related Content

Guarding Large Language Models: Advanced Approaches to Preventing Model Theft

Operationlizing Online Fraud Detection, Prevention, and Response

Azure Active Directory and BIG-IP APM Integration

CSV to Address External Datagroup File

API Security Strategy - Discover and map APIs, block unwanted connection and prevent data leakage