Forum Discussion

cgwin12's avatar
cgwin12
Icon for Altostratus rankAltostratus
Apr 25, 2024

Need help on i-rule to specific uri path

Hello All,

 

I'm working on an i-rule that I need to do the following; given a set of specific source ip addresses, only allow access to specific uris of /ws/rest/external*. 

 

I set the specific source addresses in a data group, referencing the data group. When I apply this i-rule to the virtual server, on testing I get an Insecure HTTPS message. I am on version 15.8.1.2. We plan to upgrade to most stable release on 16 soon. 

 

Any suggestions on what I can do with the i-rule posted below? Thanks in advance.

when CLIENT_ACCEPTED {
  if { [class match [IP::client_addr] equals Boomi_external] } {
     pool esd-bmapi-dc1-as01-f5.lanl.gov_8077_pool
 }
}

when HTTP_REQUEST {
if ![HTTP::has_responded] {
if { ([HTTP::host] equals "apigway-d.lanl.gov" or [HTTP::host] equals "apigway-d.lanl.gov") } {
    if { [HTTP::uri] starts_with "/ws/rest/external*    " || [HTTP::uri] starts_with "/ws/rest/external*" } {
    pool esd-bmapi-dc1-as01-f5.lanl.gov_8077_pool
        }
    else { reject }
    return
        }
        } 
    }

 

 

 

 

 

 

 

 

 

6 Replies

  • Try below

    when HTTP_REQUEST {
    	    switch -glob [string tolower [HTTP::uri]] {
    	        "/ws/rest/external*" {
                if { [class match [IP::client_addr] equals Boomi_external] } {
    		    pool esd-bmapi-dc1-as01-f5.lanl.gov_8077_pool
    			} else {
                 reject
                  }
    	        } default {
                drop
    	      }
             }
          }

     

  • The insecure HTTPS message is very unlikely to have been caused by your iRule - most likely it is because the server IP/name you are going to in order to reach the Virtual Server does not match the CN in the SSL certificate returned by the pool member.

     

    Regarding the iRule; I strongly suggest using [HTTP::uri -normalized] to ensure that your iRule cannot be bypassed by encoding slashes or other bypasses (e.g. //, //./, %2F etc) (everyone should be doing this, really!). Other than that, Sanjay's rule above should be more efficient.

  • because the "else" is basicaly reject, you can just simply assing the pool to the virtual server and bind below traffic policy to the virtual server.

    it is better to use local traffic policy instead of irules scripting due to better performance and avoid scripting typo.

     

     

    • cgwin12's avatar
      cgwin12
      Icon for Altostratus rankAltostratus

      Thanks, zamroni. I realized I needed to add some additional lines, per F5s recommendation for software releases after v14. This is per https://my.f5.com/manage/s/article/K23237429.

      I like your suggestion about the local traffic policy. I will try that next time I get these requests. 

       

      So it works with my i-rule as shown:

      when CLIENT_ACCEPTED {
        if { [class match [IP::client_addr] equals Boomi_external] } {
           pool esd-bmapi-dc1-as01-f5.lanl.gov_8077_pool
      }
      }

      when HTTP_REQUEST {
       if ![HTTP::has_responded] {
                        switch -glob [string tolower [HTTP::uri -normalized]] {
                            "/ws/rest/external*" {
                  if { [class match [IP::client_addr] equals Boomi_external] } {
                                       pool esd-bmapi-dc1-as01-f5.lanl.gov_8077_pool
                                                } else { 
                   reject
                    } log local0. "HTTP::reject_reason"
                            } default {
                          log local0. "HTTP Headers = [HTTP::host], [HTTP::uri]"
                          return
                            }
      }
               }
            }

       

       

  • Sanjay and Aaron, thanks for your input.v I'm getting a little closer. On the initial HTTP GET request this i-rule is working. However, when the testers attempt a POST, they error out with the insecure message. 

    I have pasted the new i-rule below. I also added logging to find out why the connection is getting reset. 

    The output of the log is also below the i-rule. It is the result of running a tail. It is run, greping the i-rule. 

    tail -f /var/log/ltm | grep /Common/Boomi_external_redirect

    Thanks for your input so far, we're close. 

     

    when CLIENT_ACCEPTED {
      if { [class match [IP::client_addr] equals Boomi_external] } {
         pool esd-bmapi-dc1-as01-f5.lanl.gov_8077_pool
     }
    }

    when HTTP_REQUEST {
            switch -glob [string tolower [HTTP::uri -normalized]] {
                "/ws/rest/external*" {
                if { [class match [IP::client_addr] equals Boomi_external] } {
                pool esd-bmapi-dc1-as01-f5.lanl.gov_8077_pool
                } else {
                 reject
                  } log local0. "HTTP::reject_reason"
                } default {
              log local0. "HTTP Headers = [HTTP::host], [HTTP::uri]"
                
    }
             }
          }

     

    OUTPUT OF THE ERROR:

     

    May 23 09:22:41 bigip1.lanl.gov err tmm1[22445]: 01220001:3: TCL error: /Common/Boomi_external_redirect <HTTP_REQUEST> - wrong # args: extra words after "else" clause in "if" command     while compiling "if { [class match [IP::client_addr] equals Boomi_external] } {               pool esd-bmapi-dc1-as01-f5.lanl.gov_8077_pool                    } else {              reject    ..."     ("/ws/rest/external/*" arm line 2)     invoked from within "switch -glob [string tolower [HTTP::uri -normalized]] {                 "/ws/rest/external/*" {             if { [class match [IP::client_addr] equals Boomi_..."

     

     

     

    • SanjayP's avatar
      SanjayP
      Icon for Nacreous rankNacreous

      Please don't complicate iRule by adding client_accepted event and syntaxes like HTTP::reject_reason or HTTP::has_responded. Please use the iRule posted earlier.  Please take default action as appropriate in your case. 

       

      when HTTP_REQUEST {
              switch -glob [string tolower [HTTP::uri -normalized]] {
                  "/ws/rest/external*" 
      	   {
                  if { [class match [IP::client_addr] equals Boomi_external] } {
                  pool esd-bmapi-dc1-as01-f5.lanl.gov_8077_pool
                  } else {
      			log local0. "rejected access to /ws/rest/external for [IP::client_addr]"
                   drop
                    } 
                  } default {
      	     return
                 }
               }
            }	  
      	  

       

      For insecure errors, please check the SSL certificate is correctly added to your clientssl profile, it's trusted by the client and has correct intermediate cert associated with it.