ASM Wildcard in the middle of the URL
Hello everyone
Does anyone know if it is possible to have a wildcard in the middle of a URL when building an ASM policy? For example, can we do this:
/pathto/*/resource
?
Thank you.
Forum Discussion
5 Replies
youssef1Cumulonimbus
Hello,
Yes it is possible: https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-1-0/asm_wildcard.html?sr=47048222
Let me now if you need additional informations
Regards,
Right, I've tested this and it does indeed work.
To expand on the above, the application we are protecting uses REST API calls. A client, as part of its request, sends through an ID in the URL. The ID is unique to each client, and with potentially thousands of clients, must be dealt with using a wildcard.
However, there are other calls the client can make that also require sending the ID, but appended is another folder/service. For example:
Call 1 from client = [HOST]/account/
Call 2 from client = [HOST]/account//product
Not sure if this is possible but can we have it so that we can wildcard the first call, e.g. '/account/*' & thus take care of the unique IDs in the requests, but also ensure that should a client request anything past the 'product' service, get blocked? So for example a client requesting the following would be blocked:
[HOST]/account//product/someotherservice
Initial thoughts suggest no, this isn't possible because the wildcard (/account/*) would mean that literally anything past 'account' would be permitted. Just trying to understand the art of the possible here.
Thank you.
- youssef1
Hello,
if it is just URI restrion I advise you to do this by IRULE. you do not need to do this operation on the ASM. If so, I can provide you the IRULE that will answer your needs.
Regards
Thanks youssef
That is potentially an interesting idea. Let me first state that this is not just about restricting access to URLs. ASM is mandatory and is required for lots of other things. If an iRule can be crafted to help us achieve the above in addition to ASM then I’d be glad to hear how that could work?
Thanks
- youssef1
Hello Delvin,
I know that in your situation ASM is mandatory. But in some case you want just restrict URI Access. You just have to know that your Irule, (HTTP_REQUEST event ) is executed before ASM. So In addition to your ASM Policy you can create and assign an Irule to your service in order to restrict some URI:
Below a simple example. I could not test it.
when HTTP_REQUEST { if { ([HTTP::uri] starts_with "/account/" && ([string match "\/account\/[^\/]+" [HTTP::path]] || [string match "\/account\/[^\/]+\/product" [HTTP::path]]) } { Pass } else { reject } }Regards
