Forum Discussion

Reginald_Sible1's avatar
Reginald_Sible1
Icon for Nimbostratus rankNimbostratus
Oct 27, 2015

iRule to block anything containing /user thats not coming for internal network

iRule to block anything containing /user thats not coming for internal network specified in datagroup. I have the following logic but its for the entire url..how can I make it just /user on the VIP?

 

rule URL-user_rule { when HTTP_REQUEST { switch -glob [string tolower [HTTP::host]] { domain.name.com { if { not ([class match [IP::client_addr] equals sntru_net]) } { discard } } default { pool [LB::server pool] } } } }

 

application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
security

4 Replies

Sort By
  • Vernon_97235's avatar
    Vernon_97235
    Historic F5 Account
    Oct 27, 2015

    I assume you still want to match the Host header and you want to match anything starting with "/user":

    when HTTP_REQUEST { 
    if { [string tolower [HTTP::host]] eq "domain.name.com" and not ([class match [IP::client_addr] equals sntru_net]) } {
        switch -glob [HTTP::path] {
            "/user" -
            "/user/*" {
                discard
            }
        }
    }
}

    You don't need the 

    default
    branch because selection of the assigned pool is what will happen by default already.

  • VernonWells's avatar
    VernonWells
    Icon for Employee rankEmployee
    Oct 27, 2015

    I assume you still want to match the Host header and you want to match anything starting with "/user":

    when HTTP_REQUEST { 
    if { [string tolower [HTTP::host]] eq "domain.name.com" and not ([class match [IP::client_addr] equals sntru_net]) } {
        switch -glob [HTTP::path] {
            "/user" -
            "/user/*" {
                discard
            }
        }
    }
}

    You don't need the 

    default
    branch because selection of the assigned pool is what will happen by default already.