Forum Discussion

Tony_T__153394's avatar
Tony_T__153394
Icon for Nimbostratus rankNimbostratus
Jun 08, 2017

Only allow specific URI through F5 for virtual server

I'm having trouble creating a rule that only allows a connection if the URI starts with a specific string. This is on 11.x code LTM.

 

I only want anything starting with "soa-infra/resources/ExternalEndpoint/*" to be allow to pass through to the pool. Everything else should be dropped. Is this possible?

 

This is what I currently have in my iRule:

 

when HTTP_REQUEST {

 

if { not [string tolower [HTTP::uri]] starts_with "/soa-infra/resources/ExternalEndpoint/*" } {
reject
}

}

 

7 Replies

  • The iRule I provided above simply rejects all traffic instead of allowing the specific URI I need to allow through. Not sure what I'm missing in the code to ensure the good URI is allowed to pass through to the backend servers.

     

  • Try below irule

            when HTTP_REQUEST {
            set uri [string tolower [HTTP::path]]
            switch -glob $uri {
                "/soa-infra/resources/externalendpoint/*" {
        HTTP::uri "/uri"  
                     }
            default { reject }
        }
    }
    
  • Still getting a connection reset with the recommended iRule. No matter what URI I enter. It looks like it's taking only the default and not allowing the good URI still.

     

  • It looks like this worked briefly, then stopped functioning after around 60 seconds. Now receiving connection resets again. Extremely strange behaviour from the F5.

     

    iRule used: when HTTP_REQUEST { set uri [string tolower [HTTP::path]] switch -glob $uri {"/soa-infra/resources/ExternalEndpoint/*" { HTTP::uri "/uri" } default { reject } } }

     

  • One immediate issue: You're using the 'string tolower' function which will convert the URI to lower-case. However your match string includes upper-case characters, so your test will never match.

     

    Change your test condition to all lower case, or remove 'tolower' if you need your match to be case-sensitive.

     

    Also, is the asterisk actually part of the URI you are attempting to match? Don't include it if you're using it as a glob "match anything else". Just include the literal string you want to match with 'starts_with'.