iRule for URI ACL

Jeff: This should be a clean and easy problem to solve. I'd go with a datagroup here, as it'll be a bit cleaner to manage as you add/remove URIs. I'm not able to give you examples or links (on a plane, shutting down my laptop!), but do a search or two on URI switching/acls using datagroups and you'll be off to a good start.

 

 

-Matt

 

Hi Jeff,

Something like this might do the trick:

 
rule mycompany_url_acl {
when HTTP_REQUEST {
if { ![matchclass [HTTP::path] starts_with $::mycompany_allowed_urls] } {
HTTP::redirect http://mycompany.com/sorry_url.html
}
}
}

You'll also need a datagroup called "mycompany_allowed_urls". This is what it looks like in my bugip.conf:

class mycompany_allowed_urls {
   {
      "/Dealer/"
      "/Help/"
      "/Image/"
      "/Login/"
      "/User/"
   }
}

Hope this helps,

George

One note: I used matchclass (http://devcentral.f5.com/Wiki/default.aspx/iRules.matchclass) here, which has been deprecated in favor of the class command (http://devcentral.f5.com/Wiki/default.aspx/iRules.class) in version 10. The equivalent code using the class command would look like this:

 

 

when HTTP_REQUEST {
if { ![class match [HTTP::path] starts_with $::mycompany_allowed_urls] } {
HTTP::redirect http://mycompany.com/sorry_url.html
}
}

 

 

-George

Good morning George, thanks for the reply. I have attempted your solution but it doesn't seem to work. I created a datagroup "blue" with the strings as

 

"/Dealer/"

 

"/Help/"

 

"/Image/"

 

"/Login/"

 

"/User/"

 

I am new to this but is a value required when adding these strings to the group?

 

 

The iRule I used is this

 

when HTTP_REQUEST {

 

if { ![class match [HTTPS::path] starts_with $::blue] } {

 

HTTP::redirect http://www.google.com/

 

}

 

}

 

 

When I go to https://mycompany.com/test it should direct to google.com but just gives a page cannot be found page from the webserver.

 

 

Also this is a 443 request as we have a redirect iRule for the 80 traffic to be routed to 443.

 

 

Thanks for the help and I look forward to a response

Are you terminating the SSL connection on your F5?

I'd do this, assuming you're terminating the SSL and can see the request in cleartext.

when HTTP_REQUEST { 
if { ![class match [HTTP::uri] starts_with blue] } { 
HTTP::redirect "http://www.google.com/"
} 
} 

Chris, yes we are terminating the SSL connection on the F5.

 

 

I am getting closer. It is definatly reading the iRule but I am not so sure it is triggering the data group and the defaul landing page is in the data group but the page continues to redirect.

 

 

landing page: I have this exact string added to the blue data group with no luck, it still redirects.

 

https://mycompany.com/

Hi jokragly,

 

 

What version of LTM are you running? Did you add the datagroup to your config?

 

 

-George

We ended up opening a support case with F5 and here is the iRule and data group syntax that we had to use.

 

 

when HTTP_REQUEST {

 

log local0. "path is [HTTP::path]"

 

set search_id [class startsearch blue_ACL]

 

while { [class anymore blue_ACL $search_id] } {

 

nextelement returns an array with two elements (for a string class, we just care about the first element)

 

set elem [class nextelement blue_ACL $search_id]

 

set elem [lindex $elem 0]

 

log local0. "elem is $elem"

 

if { [string tolower [HTTP::path]] matches_regex $elem } {

 

log local0. "$elem matched !"

 

return

 

}

 

}

 

 

HTTP::respond 200 content "PERMISSION DENIED TO: [HTTP::uri]"

 

}

 

 

The trick is that your datagroup (blue_ACL) strings need to be entered using REGEX notation. ( You will need to start each string with a "^" and for the / path (root), you need to enter "^/$".

 

^/$ (the $ means "end of string")

 

^/Dealer

 

^/Help

 

^/Image

 

^/Login

 

^/User

 

 

You also need to enter all the strings in lower case because of the " tolower" command, if they are upper case they won't match.

 

 

I appreciate everyones help but I just wanted to update the forum with what worked for us.

Glad to hear you got it working. Thanks for posting your solution.

 

 

Cheers,

 

 

-George

That could be horribly inefficient to loop through a datagroup and run a regex operation on each element. I'd go back to George and Chris' examples using a datagroup and the iRule which uses starts_with. Make sure to remove the $:: prefix from the datagroup name in the iRule as that won't work in 10.x.

class mycompany_allowed_urls {
   {
      "/dealer/"
      "/help/"
      "/image/"
      "/login/"
      "/user/"
   }
}

when HTTP_REQUEST { 
   if { ![class match [string tolower [HTTP::uri]] starts_with blue] } { 
      HTTP::redirect "http://www.google.com/"
   } 
} 

I'm not sure whether the web app is case sensitive or not, so I set the URI and the datagroup entries to lower case.

Aaron