Forum Discussion

chris-gwin-nm_2's avatar
chris-gwin-nm_2
Icon for Nimbostratus rankNimbostratus
Dec 09, 2015

irule question - restricted url wild card

I want to be able to create an irule that allows only certain ip addresses to a url, and every other ip gets re-directed to the home page. I have a rule that works the way I want it to, however, the applications team is having the users input a string after the path.

 

So instead of the user just going to "/web/verificationService" they are actually going to "/web/verificationService?enrollmentId=123&individualId=1372823&lastName=Diaz for example. Each string after the /web/verificationService is unique, so I was thinking of a wild card.

 

What I tried was set restricted_url "/yesnm/verificationService*", but I don;t think F5 recognizes the * as a wildcard, as when I test, the re-direction to the home page no longer occurs for IPs not in the irule.

 

Is there a way to tweak my full irule below without having to get rid of the entire rule and re-write from the beginning? Thanks

 

when HTTP_REQUEST {

 

Base URL for filter

set restricted_url "/web/verificationService" set redirected_url "/web"

 

Get the source IP.

set source_IP [IP::remote_addr]

 

If the request includes the restricted_url...

if { ([HTTP::uri] contains "$restricted_url") } { Compare the the source IP against a list of internal IP addresses. if {[IP::addr $source_IP equals 10.57.32.0/255.255.255.0 ] or [IP::addr $source_IP equals 10.62.62.18/255.255.255.255 ] or [IP::addr $source_IP equals 10.57.30.0/255.255.255.0 ]} { The source IP is internal. Allow the request. log local0. "Access to $restricted_url allowed. Source IP: $source_IP" } else { The source IP is not internal. Redirect the request. log local0. "Access to $restricted_url redirected. Source IP: $source_IP" HTTP::redirect "https://[getfield [HTTP::host] ":" 1]$redirected_url" } } }

 

when HTTP_REQUEST {

 

BIG-IP
iRules
security

2 Replies

Sort By
  • OTS02's avatar
    OTS02
    Icon for Cirrus rankCirrus
    Dec 09, 2015

    I have used the text string

     

    .*?

     

    as wildcard in stream expressions, and I think that is simply TCL syntax, so you might give .*? a try

     

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Dec 10, 2015

    Hi Chris,

     

    • the "contains" operator is acutally a "/web/verificationService" wildcard.
    • the "starts_with" operator is acutally a "/web/verificationService*" wildcard.
    • the "ends_with" operator is acutally a "*/web/verificationService" wildcard.
    • the "equals" operator doesn't include any wildcards.

    So you may want to change your code to use the "starts_with" operator to optimize accuracy and also performance.

     

    when HTTP_REQUEST {
    Base URL for filter
    set restricted_url "/web/verificationService"
    set redirected_url "/web"
    Get the source IP.
    set source_IP [IP::remote_addr]
    If the request includes the restricted_url...
    if { ([HTTP::uri] starts_with "$restricted_url") } {
         Compare the the source IP against a list of internal IP addresses.
        if { [IP::addr $source_IP equals 10.57.32.0/255.255.255.0] or
             [IP::addr $source_IP equals 10.62.62.18/255.255.255.255] or 
             [IP::addr $source_IP equals 10.57.30.0/255.255.255.0] } {
             The source IP is internal.  Allow the request.
            log local0. "Access to $restricted_url allowed.  Source IP: $source_IP"
        } else {
             The source IP is not internal.  Redirect the request.
            log local0. "Access to $restricted_url redirected.  Source IP: $source_IP"
            HTTP::redirect "https://[getfield [HTTP::host] ":" 1]$redirected_url"
        }
    }
}

    Cheers, Kai