Forum Discussion

FaresB's avatar
FaresB
Icon for Nimbostratus rankNimbostratus
Apr 22, 2020

Blocking an URI wildcard to a specific Hostname and using an header

Hi,

 

I'm trying to block wildcard " /* "but I need to allow access to " /pathA/* " and " /pathB/* " from a specific hostname, I need also to block these paths in the "Referer" header.

 

Basically, every access to " /* " should be rejected exept paths containing keyworld "pathA" and "pathB".

 

I have tried this iRULE but it seems to not work:

 

when HTTP_REQUEST {

 if { ([string tolower [HTTP::host]] contains "myhostname.society.com") && (![HTTP::uri] contains "/pathA" || ![HTTP::uri] contains "/pathB")} {

   HTTP::respond 403

 }

   elseif { ((![HTTP::header "Referer"] contains "/pathA") || (![HTTP::header "Referer"] contains "/pathB")) }

   {

 HTTP::respond 403

}

}

 

Can you help me ?

 

regards

ASM Advanced WAF
iRules
security

2 Replies

Sort By
  • cjunior's avatar
    cjunior
    Icon for Nacreous rankNacreous
    Apr 22, 2020

    Hello,

    According to my understanding, could be this:

    when HTTP_REQUEST {
    if { [string tolower [HTTP::host]] contains "myhostname.society.com" && !( [HTTP::uri] contains "/pathA" || [HTTP::uri] contains "/pathB" || [HTTP::header Referer] contains "/pathA" || [HTTP::header Referer] contains "/pathB" ) } {
        HTTP::respond 403
    }
}

    as well this one:

    when HTTP_REQUEST {
    if { [string tolower [HTTP::host]] contains "myhostname.society.com" } {
        switch -glob [HTTP::path][HTTP::header Referer] {
            "*/pathA*" -
            "*/pathB*" { }
            default { HTTP::respond 403 }
        }
    }
}

    I hope it helps.

  • FaresB's avatar
    FaresB
    Icon for Nimbostratus rankNimbostratus
    Apr 23, 2020

    Nevermind, Actually this iRULE seems to be ok !!

     

    I used only this one on my VS and everything looks fine ,

    the condition    switch -glob [HTTP::path][HTTP::header Referer] is perfect in my case !!

     

    Thanks you cjunior !!

    Here the solution worked on my case:

     

    when HTTP_REQUEST {

       if { [string tolower [HTTP::host]] contains "hostname" } {

           switch -glob [HTTP::path][HTTP::header Referer] {

               "*/pathA*" -

               "*/pathB*" { }

               default { log local0. "condition header et hostname"

               reject }

           }

       }

    }