Forum Discussion

PG0581's avatar
PG0581
Icon for Cirrus rankCirrus
Dec 12, 2022

iRule - Block part of a query

Using this example URL: https://abc.com/some-uri.some-extension?func=do-something

How would I go about rejecting any queries containing "do-something"? 

This is what I have tried, and haven't had any luck:

iRule:

    when HTTP_REQUEST {
            if { [class match [string tolower [HTTP::query]] eq data-group-1] }{
            log local0. "Denied query: [IP::client_addr] - [HTTP::query]"
            reject
        }
    }

Data-group:

ltm data-group internal data-group-1 {
    records {
        do-something { }
    }
    type string
}
  • Hello PG0581 , 
    this code should work, and it's exactly how I would build the iRule too. 

    Any reason why you're using "string tolower"? Remember that in this case, your datagroup should be all lowercase characters in order to match. 

    In my lab, this code is working indeed

     

    I would check profiles on your VS .. you need HTTP profile to parse [HTTP::query] info, and if this HTTPS traffic you also need a clientSSL profile in order to see unencrypted data.

9 Replies

  • Hello,

    The below simple I-rule do this function and tested in a LAB:

    when HTTP_REQUEST {
    if {[HTTP::uri] contains "do-something"}{
    reject
    }
    }

    • PG0581's avatar
      PG0581
      Icon for Cirrus rankCirrus

      Thanks for testing this Omar2 ! I will add this to my notes as another solution.

  • Hi PG0581,

    you may check the modified iRule below...

     

    when HTTP_REQUEST {
    		if {  [class match -- [URI::query [HTTP::uri -normalized] "func"] equals data-group-1] } then {
    		log local0. "Denied query: [IP::client_addr] - param func=[URI::query [HTTP::uri -normalized] "func"]"
    		HTTP::respond 403 content "Access Denied" "Content-Type" "text/html"
    	}
    }

     

    It applies HTTP::uri -nomalization to the request URI, then extracts the URI parameter "func" and then checks the value based on your Data-Group. If the func param is listed in the blacklist, it sends a HTTP 403 Access Denied to the client (slightly better than using a TCP reject). 

     Cheers, Kai

    • PG0581's avatar
      PG0581
      Icon for Cirrus rankCirrus

      Thanks for your feedback Kai_Wilke . Interesting way of writing the iRule, and thanks for the tip on sending the 403 back 🙂 I will add this to my notes!

  • I also tried modifying the iRule to use "contains" rather than "eq", but no luck there either:

     

        when HTTP_REQUEST {
                if { [class match [string tolower [HTTP::query]] contains data-group-1] }{
                log local0. "Denied query: [IP::client_addr] - [HTTP::query]"
                reject
            }
        }

     

    • Hello PG0581 , 
      this code should work, and it's exactly how I would build the iRule too. 

      Any reason why you're using "string tolower"? Remember that in this case, your datagroup should be all lowercase characters in order to match. 

      In my lab, this code is working indeed

       

      I would check profiles on your VS .. you need HTTP profile to parse [HTTP::query] info, and if this HTTPS traffic you also need a clientSSL profile in order to see unencrypted data.

      • PG0581's avatar
        PG0581
        Icon for Cirrus rankCirrus

        Hi CA_Valli ,

        Thanks for testing this. I have typically always used "string tolower", but what I did not realize or had not noticed is the string in the data-group needs to be lowercase as well. Makes total sense! The string in my data-group is not all in lowercase, so I will fix that.