Forum Discussion

Karthik_Krishn1's avatar
Karthik_Krishn1
Icon for Cirrostratus rankCirrostratus
Oct 15, 2013

Allow access to URL from internet based on URI

Hello ,

 

I am trying to develop an irule whereby access to a specific URL is allowed only when a specific URL is presented .The logic is as below :

 

Application 202(CAC) alone is accessible on the internet allow /i/* allow /smapps/f?p=CAC* allow /smapps/f?p=202* deny if starts with /smapps/f?p and does not start with /smapps/f?p=202 allow /smapps/* deny all

 

The above is only applicable to traffic from the internet ie all non RFC 1918 addresses . The above should be accessible to all RFC 1918 addresses ( 10.0.0.0/8 etc)

 

I am new to irules and would appreciate any help in developing this rule . I am not sure if I will have to use data groups for this .

 

Thanks,

 

Karthik

 

APM
application delivery
deployment
devops
iRules
security

5 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 15, 2013

    Something like this maybe:

    when HTTP_REQUEST {
    if { not ( [class match [string tolower [HTTP::uri]] starts_with restrict_uri_dg] ) and not ( [class match [IP::client_addr] equals private_net] ) } {
        log local0. "rejected request for [HTTP::uri] from [IP::client_addr]"
        reject
    }
}

    where "restrict_uri_dg" is a string-based data group containing URI paths that are allowed. Example (note everything is lower case):

    /smapps/f?p=202 := 1
/smapps/f?p=cac := 1

    and "private_net" is an address-based data group containing the RFC 1918 address space. Example:

    10.0.0.0/255.0.0.0
172.16.0.0/225.240.0.0
192.168.0.0/255.255.0.0
  • Karthik_Krishn1's avatar
    Karthik_Krishn1
    Icon for Cirrostratus rankCirrostratus
    Oct 15, 2013

    Thanks Kevin . I was just told that the URL has to be accessible by both Internal ( RFC 1918 ) and Internet users. So based on new information this is what the developers want to do :

     

    If a user is from the Internet they need to be able to access the following in the order as below:

     

    • permit /i/*
    • permit /smapps/f?p=202
    • permit /smapps/f?p=cac
    • reject if starts with /smapps/f?p and does not start with /smapps/f?p=202
    • permit /smapps/*
    • Reject all

    Now if the user is from the Internal RFC 1918 network , then they should be able to access anything after /smapps/ with the only rejections being the one shown below following additional rules apply :

     

    • reject /smapps/f?p=4550
    • permit /smapps/*
    • reject all

    Again thanks for your help .

     

    • Mohamed_Lrhazi's avatar
      Mohamed_Lrhazi
      Icon for Altocumulus rankAltocumulus
      Oct 15, 2013
      I am curious about what is missing from Kevin post? Do you need help with: - How to write and use an iRule? - How to code "match client IP against list of subnets" ? - How to code "match request URI against list of URIs"? - How to reject when conditions do not match? - ...
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 16, 2013

    Okay, this isn't as dynamic as a data group, but should provide what you need:

    when HTTP_REQUEST {
    if { not ( [class match [IP::client_addr] equals private_net] ) } {
         process URI filter for external users
        switch -glob [string tolower [HTTP::uri]] {
            "/i/*" -
            "/smapps/f?p=202" -
            "/smapps/f?p=cac" { return }
            "/smapps/f?p*" { reject }
            "/smapps/*" { return }
            default { reject }
        }
    } else {
         process URI filter for internal users
        switch -glob [string tolower [HTTP::uri]] {
            "/smapps/f?p=4550" { reject }
            "/smapps/*" { return }
            default { reject }
        }
    }
}
  • Karthik_Krishn1's avatar
    Karthik_Krishn1
    Icon for Cirrostratus rankCirrostratus
    Oct 17, 2013

    Thanks Kevin . I will try this and let you know if it resolved our issue. Thanks again for your help