Forum Discussion

Domel_163525's avatar
Domel_163525
Icon for Nimbostratus rankNimbostratus
Nov 30, 2015

How to create a Policy to block websites

Hi Guys,

 

Question to ask.

 

I have a VS configured and accessible externally on my F5. An A record has been crated of X.X.X.X to www.mydomain.co.uk and that works perfectly fine.

 

The problem is there is a couple websites hosted on the back end server:

 

www.mydomain.co.uk/owa www.mydomain.co.uk/autodiscovery www.mydomain.co.uk/etc . . . and so on...

 

I would like to create a Policy which will check the URI and if it's /owa for example I would like to drop it but for everything else allow it.

 

Is that doable at all?

 

Thanks, Dom

 

application delivery
BIG-IP
LTM
policy

8 Replies

Sort By
  • eneR's avatar
    eneR
    Icon for Cirrostratus rankCirrostratus
    Nov 30, 2015

    Hey, my suggest:

    when HTTP_REQUEST {
        if { [HTTP::uri] equals "/owa"] } {
            drop
        } 
    }
  • Domel_163525's avatar
    Domel_163525
    Icon for Nimbostratus rankNimbostratus
    Nov 30, 2015

    Hello there,

     

    I do have an iRule in place:

     

    when HTTP_REQUEST { if { [ class match [string tolower [HTTP::uri]] contains allowed_uris ] } { Stop processing the iRule for this event here return } else { drop } }

     

    class allowed_uris { "/site1/" "/site2/" "/site3/*" }

     

    But was wondering if the same can be achieved with a simple policy?

     

  • Domel_163525's avatar
    Domel_163525
    Icon for Nimbostratus rankNimbostratus
    Nov 30, 2015

    If it's not doable can I actually redirect to another URL if "/owa" is typed in by using iRule?

     

  • Domel_163525's avatar
    Domel_163525
    Icon for Nimbostratus rankNimbostratus
    Nov 30, 2015

    Probably silly question but not very good in coding iRules...

     

    What am I missing here:

     

    when HTTP_REQUEST { if { [ class match [string tolower [HTTP::uri]] contains web-exchange-external-datagroup ] } { Stop processing the iRule for this event here return } elseif {[HTTP::uri] equals "/owa"] } { HTTP::respond 301 Location "https://mynewurl.co.uk" } }

     

    • eneR's avatar
      eneR
      Icon for Cirrostratus rankCirrostratus
      Dec 01, 2015
      What does not work? Or is it working but not as expected? Maybe you want to append the uri to your new location url? { HTTP::respond 301 Location "https://mynewurl.co.uk[HTTP::uri]" }
  • Domel_163525's avatar
    Domel_163525
    Icon for Nimbostratus rankNimbostratus
    Dec 01, 2015

    The iRule could not even be saved on BIG-IP as the code was incorrect.

     

    I have used this one and it works fine now:

     

    when HTTP_REQUEST { if { [HTTP::uri] equals "/owa" } { HTTP::respond 301 Location "https://mynewurl.co.uk" } elseif { [ class match [string tolower [HTTP::uri]] contains web-exchange-external-datagroup ] } { return} else { drop} }

     

    Thanks for your help.

     

    P.S. how do I make my iRule to appear in a table (like yours) when I reply here?

     

  • eneR's avatar
    eneR
    Icon for Cirrostratus rankCirrostratus
    Dec 01, 2015
    when HTTP_REQUEST { 
if { [HTTP::uri] equals "/owa" } 
    { HTTP::respond 301 Location "https://mynewurl.co.uk" } 
elseif 
    { [ class match [string tolower [HTTP::uri]] contains web-exchange-external-datagroup ] } 
{ return}
else { drop}}

    Like this? I always write the irule in notepad++ or f5irule editor and copy it.

     

    And in the devcentral answer field I press on the fourth icon (Performatted Code) and paste my code in.

     

    But sometimes i still have to add some space characters here or tab's there .. 😄

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Dec 01, 2015

    There is a "how to format" link on the top right corner...

     

    I don't see any error on the code:

     

    when HTTP_REQUEST {
    if { [HTTP::uri] equals "/owa" } {
        HTTP::respond 301 Location "https://mynewurl.co.uk"
    } elseif { [ class match [string tolower [HTTP::uri]] contains web-exchange-external-datagroup ] } {
        return
    } else { drop}
}

    But in your first request, you wanted to do it with a policy...

     

    you can create a local traffic policy to do the same:

     

    • requires : http
    • controls : forwarding
    • Strategy : first-match
    • rule 1:
    • rule 2:
      • condition : http-uri path starts_with /autodiscovery /etc ...
      • action : none
    • rule 3:
      • condition : none
      • action : forward reset