Forum Discussion

Karthik_Krishn1's avatar
Karthik_Krishn1
Icon for Cirrostratus rankCirrostratus
Feb 19, 2016

iRule to match multiple conditions

Hello,

 

We are in the process of setting 2 factor for OWA only if the users are coming in from the Internet. When a user comes in from the internet and hits the page "https://webmail.company.com/owa" they should get redirected to a pool which has the servers configured for 2 factor. Any other URLS should be redirected to the pool that does not have 2 factor configured.

 

The rule I was working on would have a logic like this.

 

when HTTP_REQUEST { if { ([HTTP::uri] contains "/owa/") && not ([[class match [IP::client_addr] equals OWA-NO-2FA]]) } { pool OWA_2FA_Pool } else { pool OWA_SSL_POOL } }

 

If URI starts with /OWA/ and Source IP does not match datagroup (Internal networks) pool OWA-2FA-Pool

 

All other URL's ( eg /rpc/ ) should be sent to the default pool assigned to the VIP.

 

This rule would follow the http-https /owa redirect rule.

 

Any help would be appreciated.

 

thanks,

 

karthik

 

4 Replies

  • Instead of comparing ([HTTP::uri] contains "/owa") this ([HTTP::path] starts_with "/owa") would be more efficient. You might also want to ensure that you're looking at lower-case data by using ([[string tolower [HTTP::path]] starts_with "/owa") so you don't miss URLs like "https://webmail.company.com/OWA".
  • Hi Karthik,

    I've optimized a little your iRule based on some experiences...

    when CLIENT_ACCEPTED {
        if { [class match [IP::client_addr] equals OWA-NO-2FA] } then {
            set OWA-2FA 0
        } else {
            set OWA-2FA 1
        }
    }
    when HTTP_REQUEST {
        set low_uri [string tolower [HTTP::uri]]
        if { ( $OWA-2FA ) and 
             (( $low_uri starts_with "/owa" ) or 
              ( $low_uri starts_with "/ecp" )) } then { 
            pool OWA_2FA_Pool
        } elseif { $low_uri equals "/" } then {
            HTTP::redirect "/owa/"
        } else {
            pool OWA_SSL_POOL
        }
    }
    

    Note: I've moved the

    [class match [IP::client_addr]]
    to the
    CLIENT_ACCEPTED
    event to save some CPU cycles for
    keep-alive
    connections.

    Note: I'v added the

    [string tolower]
    command so that case-sensitive URI (e.g. /oWa/) wouldn't bypass your 2FA requirement.

    Note: I'v added the

    ($low_uri starts_with "/ecp")
    condition to force 2FA also for Exchange Control Panel (aka. OWA Settings).

    Note: I'v added a

    [HTTP::redirect "/owa/"]
    syntax to assist your users getting to their Inbox.

    Cheers, Kai

  • Thanks guys. I will test this out later tonight and will post a reply here on whether it worked or not.