Irule to allow/block URL

Question

Can anyone please help to create an irule for below requirement.&nbsp;
We would like to deny the access if the request for www.abc.com/xyx but allow for www.abc.com/xyx/ccc.&nbsp;
URL to be allowed&nbsp;
www.abc.com/xyz/ccc
www.abc.com/xyz/yyy
www.abc.com/xyz/ppp
www.abc.com/xyz/ooo&nbsp;
URL to b blocked &nbsp;
www.abc.com/xyz&nbsp;
This should allow only for some group of source IP addresses.&nbsp;

kai_wilke · Answer

Hi Sanalbabu,&nbsp;I asume that this allow/blocking functionality would be needed for a virtual server serving a specific websites, right? If so, then use the snippet below as a starting point...&nbsp;when CLIENT_ACCEPTED {
    if { ( [IP::addr [IP::client_addr] equals 10.0.0.0/8] ) or
         ( [IP::addr [IP::client_addr] equals 172.16.0.0/12] ) or
         ( [IP::addr [IP::client_addr] equals 192.168.0.0/16] ) } then {
        set my_trusted_clients 1
    } else {
        set my_trusted_clients 0
    }
}
when HTTP_REQUEST {
    if { [string tolower [HTTP::host]] equals "www.abc.com" } then {
        set low_uri [string tolower [HTTP::uri]]
        if { ( $my_trusted_clients ) and 
            (( $low_uri starts_with "/xyz/ccc" ) or 
             ( $low_uri starts_with "/xyz/yyy" ) or 
             ( $low_uri starts_with "/xyz/ppp" ) or 
             ( $low_uri starts_with "/xyz/ooo" )) } then {
             You may insert additional iRule code here, to handle request to the explicitly allowed sub-sites
        } elseif { $low_uri starts_with "/xyz" } then {
             Insert your block code here, to handle the blocked requests
            
             Below are some examples...
            
             1.) Sending a redirect
             HTTP::redirect "http://www.somesite.com/errorpage.html"
            
             2.) Sending a errorpage
             HTTP::respond 403 content "Access denied"
        } else {
             You may insert additional iRule code here, to handle request to other sub-sites
        }
    } else {
         You may insert additional iRule code here, to handle request to other sites
    }
}Cheers, Kai&nbsp;

sanal_babu · Answer

Thanks for your reply. &nbsp;
My requirement is something as below. &nbsp;
I have created two datagroups in my f5 for source ip as well as url list&nbsp;
IP data group name : allowed_IP URL data group : allowed_url&nbsp;
We would like to deny the access if the request is only for www.abc.com/xyx but the same time it should allow when it comes for www.abc.com/xyx/ccc.&nbsp;
URL to be allowed&nbsp;
www.abc.com/xyz/ccc www.abc.com/xyz/yyy www.abc.com/xyz/ppp www.abc.com/xyz/ooo&nbsp;
URL to be blocked&nbsp;
www.abc.com/xyz&nbsp;
So if a request comes for the allowed_url list , it should allow for all But if it is for only www.abc.com/xyz ,allow only for the Ip address data group "allowed_IP" .Rest all should be blocked.&nbsp;

kai_wilke · Answer

Hi Sanalbabu,&nbsp;to cover your latest requirements, you may take a look to the two examples below...&nbsp;Note: I've written two different versions for you, to optimize the performance based on your expected request pattern. So please estimate your expected request pattern and then either use the outlined iRules of senario1 or scenario2.&nbsp;Scenario1&nbsp;The iRule below should be used, if you expect many request to trigger the IP-based allow list for /xyz.&nbsp;when CLIENT_ACCEPTED {
    if { [class match [IP::client_addr] equals DataGroup_ALLOWED_IP_ADDR] } then {
        set my_trusted_clients 1
    } else {
        set my_trusted_clients 0
    }
}
when HTTP_REQUEST {
    if { [string tolower [HTTP::host]] equals "www.abc.com" } then {
        set low_uri [string tolower [HTTP::uri]]
        if { [class match $low_uri starts_with Datagroup_ALLOWED_URIs] } then {
             You may insert additional iRule code here, to handle request to the explicitly allowed sub-sites
        } elseif { $low_uri starts_with "/xyz" } then {
            if { $my_trusted_clients } then {
                 You may insert additional iRule code here, to handle request for the explicitly allowed client IPs
            } else {
                 Insert your block code here, to handle the blocked requests
                
                 Below are some examples...
                
                 1.) Sending a redirect
                 HTTP::redirect "http://www.somesite.com/errorpage.html"
                
                 2.) Sending a errorpage
                 HTTP::respond 403 content "Access denied"
            }
        } else {
             You may insert additional iRule code here, to handle request to other sub-sites
        }
    } else {
         You may insert additional iRule code here, to handle request to other sites
    }
}Scenario2&nbsp;The iRule below should be used, if you expect just a few request to trigger the IP-based allow list for /xyz.&nbsp;when HTTP_REQUEST {
    if { [string tolower [HTTP::host]] equals "www.abc.com" } then {
        set low_uri [string tolower [HTTP::uri]]
        if { [class match $low_uri starts_with Datagroup_ALLOWED_URIs] } then {
             You may insert additional iRule code here, to handle request to the explicitly allowed sub-sites
        } elseif { $low_uri starts_with "/xyz" } then {
            if { [class match [IP::client_addr] equals DataGroup_ALLOWED_IP_ADDR] } then {
                 You may insert additional iRule code here, to handle request for the explicitly allowed client IPs
            } else {
                 Insert your block code here, to handle the blocked requests
                
                 Below are some examples...
                
                 1.) Sending a redirect
                 HTTP::redirect "http://www.somesite.com/errorpage.html"
                
                 2.) Sending a errorpage
                 HTTP::respond 403 content "Access denied"
            }
        } else {
             You may insert additional iRule code here, to handle request to other sub-sites
        }
    } else {
         You may insert additional iRule code here, to handle request to other sites
    }
}Cheers, Kai&nbsp;

Forum Discussion

Irule to allow/block URL

3 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

iRule for IP Whitelist on specific URL

iRule to allow specific URL but block the root domain

iRule redirect with URL masking and URI rewrite

irule to change url with preserving query parameters and include extra names in the final url

URL and IP check iRule