Forum Discussion

jtalkington_476's avatar
jtalkington_476
Icon for Nimbostratus rankNimbostratus
Sep 02, 2010

Apache migration to iRule

Been handed the following from apache to migrate to an irule-

 

 

Only allow access to files in the following specific directories. The '[^/]+$' on

 

the end of each entry prevents any subdirectories of that directory from being

 

implicitly allowed.

 

RewriteCond %{REQUEST_URI} !^/[^/]*$

 

RewriteCond %{REQUEST_URI} !^/curriculum_images/[^/]+$

 

RewriteCond %{REQUEST_URI} !^/images/[^/]+$

 

RewriteCond %{REQUEST_URI} !^/img/[^/]+$

 

RewriteCond %{REQUEST_URI} !^/img/articles/[^/]+$

 

RewriteCond %{REQUEST_URI} !^/img/dhs/[^/]+$

 

RewriteCond %{REQUEST_URI} !^/img/FNF/[^/]+$

 

RewriteCond %{REQUEST_URI} !^/img/FNF/cis/[^/]+$

 

RewriteCond %{REQUEST_URI} !^/img/FNF/compliance/[^/]+$

 

RewriteCond %{REQUEST_URI} !^/img/icons/[^/]+$

 

RewriteCond %{REQUEST_URI} !^/img/icons2/[^/]+$

 

RewriteCond %{REQUEST_URI} !^/img/wiki_up/cis.fnf.com/[^/]+$

 

RewriteCond %{REQUEST_URI} !^/lib/[^/]+$

 

RewriteCond %{REQUEST_URI} !^/lib/Galaxia/img/icons/[^/]+$

 

RewriteCond %{REQUEST_URI} !^/styles/[^/]+$

 

 

Need to allow arbitrary subdirectory trees under '/training'.

 

RewriteCond %{REQUEST_URI} !^/training/

 

 

Deny anything that didn't match the above.

 

RewriteRule .* /proxy_denied.txt [L]

 

 

Also specifically deny access to https://cis.fnf.com/tiki-index.php?page=AdminPage

 

(or variations).

 

RewriteCond %{QUERY_STRING} AdminPage

 

RewriteRule .* /proxy_denied.txt [L]

 

 

And specifically deny access to scripts containing 'admin' anywhere in the name.

 

RewriteRule admin.*\.php$ /proxy_denied.txt [L]

 

 

And finally, block requests containing strange characters in the script name

 

portion (we should probably be checking the query string portion too, but we would

 

need to be very careful about the allowed character set, which would be broader

 

broader than this list).

 

RewriteRule [^-A-Za-z0-9_/.()\ ] /proxy_denied.txt [L]

 

 

 

 

I 've created most of the rule, but this last part is giving me problems, not sure how to write this to allow only A-Za-z0-9_/.()\ and deny everything else. Any suggestions?

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The rules for compliance.fnf.com are the same except without these two lines:

 

 

RewriteCond %{REQUEST_URI} !^/img/dhs/[^/]+$

 

RewriteCond %{REQUEST_URI} !^/img/wiki_up/cis.fnf.com/[^/]+$

 

 

2 Replies

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Assuming I'm not misunderstanding your question, you could use a regular expression in an if statement... e.g.

    if { [HTTP::uri] matches_regex {[^-A-Za-z0-9_/.()\]} } {
      HTTP::redirect "/proxy_denied.txt"
    }
    

    You might want to verify the regex syntax matches what you want though (I didn't).

    H
  • I tried this- the syntax APPEARS to be ok, but it doesn't seem to hit the statement when i enter special characters.

     

     

    when HTTP_REQUEST {

     

    set POOL Cis.fnf.com

     

    if { [HTTP::path] matches_regex {[^-A-Za-z0-9_/.()\]} } {

     

    HTTP::redirect "/proxy_denied.txt"

     

    }

     

    HTTP::respond 200 content "RuleSet2[HTTP::path]"

     

    }