Forum Discussion

Patti_G_72768's avatar
Patti_G_72768
Icon for Nimbostratus rankNimbostratus
Oct 01, 2013

Regex rule conversion to iRule

Hi all, I'm a newbie and have been working on converting a regex rule to an iRule. I wanted to reach out to the community to see if I can get some help with what I have written so far. The regex rule I have is looking to match the following http methods: get, head, prop find, options. If it finds that match then it looks to find a second match looking for content type application-x-www-form-urlencoded, multipart/form-data, text/xml and if both conditions are met then it returns a response error.

Here is the iRule I've written so far:

when HTTP_REQUEST {
        if {[HTTP::method] contains 
        "get" -
        "head" -
        "propfind" -
        "options" 
   and [HTTP::header "Content-Type"] contains
   ":application/x-www-form-urlencoded; charset = " -
   ":multipart/form-data;" -
   ":text/xml"
   }
    {
     log local0. "Request content type is not allowed by policy."
     drop
     HTTP::respond 501 content "501 Request ErrorRequest content type is not allowed by policy."
    }
 }

I don't know if what I have so far is a step in the right direction or if I am completely off.

thanks!

application delivery
devops
iRules

6 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Oct 01, 2013

    Off in quite a few ways I'm afraid but nothing too bad. Here's my version, untested. I've never nested switch statements so it might not work, if not, there's lots of other ways to do it;

    when HTTP_REQUEST {
    switch [HTTP::method] {
        "GET" -
        "HEAD" -
        "PROPFIND" -
        "OPTIONS" {
        switch [HTTP::header "Content-Type"] {
            ":application/x-www-form-urlencoded; charset = " -
            ":multipart/form-data;" -
            ":text/xml" {
                log local0. "Request content type is not allowed by policy."
                HTTP::respond 501 content "Request content type is not allowed by policy."
                }
            }
        }
    }
}
  • Patti_G_72768's avatar
    Patti_G_72768
    Icon for Nimbostratus rankNimbostratus
    Oct 01, 2013

    Hi, thank you so much for your help!!! I have a quick question about the HTTP::respond statement. Will the http::respond provide a response page to the client indicating the error message? (Sorry, like I said before --newbie--not trying to be dumb just wanted to confirm.)

     

    thanks again!

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Oct 01, 2013

    Hey, you're welcome. The 501 will be very, very basic; the F5 won't serve anything fancy, although it may include response code appropriate HTTP headers (authentication headers with a 401 for instance).

     

    Btw, I forgot to mention, I dropped the 'drop' command as strictly speaking its a) unnecessary and b) incompatible with HTTP::respond (you can't do both)

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 01, 2013

    I think you could probably skip a strict regex implementation and use something like a set of data groups or a set of lists. Here's what it might look like with string-based data groups.

    my_method_dg

    "get" := ""
"head" := ""
"propfind" :=
"options" := ""

    my_type_dg

    "application/x-www-form-urlencoded" := ""
"multipart/form-data" := ""
"text/xml" :=

    And the iRule:

    when HTTP_REQUEST {
    if { ( [class match [string tolower [HTTP::method]] contains my_method_dg] ) and ( [class match [string tolower [HTTP::header Content-Type]] contains my_type_dg] ) } {
        log local0. "Request content type is not allowed by policy."
        HTTP::respond 501 content "Request content type is not allowed by policy."
        event disable
    }
}

    One other minor change was also required. The drop and HTTP::respond commands are mutually exclusive. One will respond with content and the other will simply drop the connection.

  • bboyjnr_8532's avatar
    bboyjnr_8532
    Icon for Cirrus rankCirrus
    Oct 01, 2013

    just to add to this your log statement in only going to log ""Request content type is not allowed by policy." you will need to use commands in your log statement.

     

    also for the response try adding...

     

    HTTP::respond 501 content { Apology Page We are sorry, but the site you are looking for is temporarily out of service If you feel you have reached this page in error, please try again.

     

  • bboyjnr_8532's avatar
    bboyjnr_8532
    Icon for Cirrus rankCirrus
    Oct 01, 2013

    sorry new to posting on this forum and how to format etc. but check the HTTP::respond command here...

     

    https://devcentral.f5.com/wiki/iRules.HTTP__respond.ashx

     

    it has an example apology rule adding some very simple html