Forum Discussion

pmaubo2_55685's avatar
pmaubo2_55685
Icon for Nimbostratus rankNimbostratus
Jan 04, 2013

irule to drop all non-allowed network from going to url

Hi,     I want to drop any connection outside of a data class I created from getting to a certain URL.   So far I can drop the URL with the below irule. I just need a little help adding in...
application delivery
dev
devops
iRules
hooleylist's avatar
hooleylist
Icon for Cirrostratus rankCirrostratus
Jan 04, 2013
There are fairly easy ways to bypass this type of validation though. Make sure to URI decode before checking the URI. You can try something like this: 


when HTTP_REQUEST {
 decode original URI.
set tmpUri [HTTP::uri]
set uri [URI::decode $tmpUri]

 repeat decoding until the decoded version equals the previous value.
while { $uri ne $tmpUri } {
set tmpUri $uri
set uri [URI::decode $tmpUri]
}
HTTP::uri $uri

if {[string tolower $uri] contains "hostinfo.aspx"} {

 check the Class to determine if it's not allowed
if { not [class match [IP::client_addr] equals allowed_networks] } {
log local0. "dropped connection"
reject
}
}
}

https://devcentral.f5.com/internal-forums/aft/3090031324

Aaron