Forum Discussion

Ashu_Aggarwal's avatar
Apr 02, 2020

i-rule to allow specific urls only

I have to configure a VS to allow only two urls & block everything else. for example https://mycompany.com/abc/* & https://mycompany.com/xyz/* should be allowed & everything else should be blocked. Can someone help me witha possible i-rule or a method to achieve the same? TIA

9 Replies

    • Ashu_Aggarwal's avatar
      Ashu_Aggarwal
      Icon for Cirrus rankCirrus

      Thanks fot your response. I tried this but it blocked the whole site. Also which version of bigip are you running on? I have 13.1.7 & i don't see same screen after policy creation.

      • Simon_Blakely's avatar
        Simon_Blakely
        Icon for Employee rankEmployee

        That policy is missing a leading "/" for the URI paths, because I switched from "contains" to "starts_with" - sorry. Also, make it a case-insensitive check (using the options button)

        HTTP URI path starts with "/abc/", or "/xyz/" at request time

        It's worth persisting with Local Traffic Policies until you get them working - they really are the best solution to start with.

  • @Janet, Your Irule is correct but small modification needed to fulfill actual request.

    when HTTP_REQUEST { 
       if { !(([string tolower [HTTP::uri]] starts_with "/abc") or ([string tolower [HTTP::uri]] starts_with "/pqr")) } { 
         drop 
       } 
     }
      • Samir's avatar
        Samir
        Icon for MVP rankMVP

         , Thank you so much for feedback. We write the iRule based on your question/assumption. As i believe, you are passing wildcard parameter in "/abe/*" . which may not return proper result. It's is a devcentral tips and modify according to business needs.

         

        Try switch condition or F5 Policy..

         

  • Thanks, but my request is to allow the two uris & dropped everything else. & in dropped request user get http:403 request forbidden.

    • jaikumar_f5's avatar
      jaikumar_f5
      Icon for MVP rankMVP

       , try putting logging to see if you are capturing the right URI's.

      You can follow Samir's IRule and since you wanted 403, replace drop with respond 403.

      when HTTP_REQUEST { 
         if { !(([string tolower [HTTP::uri]] starts_with "/abc") or ([string tolower [HTTP::uri]] starts_with "/pqr")) } { 
           HTTP::respond 403 content "<html><body>Access Denied</body></html>" 
         } else {
         log local0. "client=[IP::client_addr] accessing - [HTTP::uri] which is allowed"
         }
      }

      If you want to test before implementing, to make sure you are putting right actions, put logging first. Something like below,

      when HTTP_REQUEST { 
         if { !(([string tolower [HTTP::uri]] starts_with "/abc") or ([string tolower [HTTP::uri]] starts_with "/pqr")) } { 
           log local0. "client=[IP::client_addr] accessing - [HTTP::uri] which is to be blocked with a 403"
         } else {
         log local0. "client=[IP::client_addr] accessing - [HTTP::uri] which is allowed"
         }
      }