IRULE to restrict a specific url after initiated first session

Question

Dear AllI need help to make an irule for a reason.A and B both are clients. A is initiated a session from his device. A has an API result with some information with "xxx.com/api/info". After getting the result, the same result link is shared with B, and he is getting the same output. Here I need to restrict user B, if he gets the link, then the connection will drop.&nbsp;I suspect it might work if I can detect the device ID and the session ID is mismatched after initiating the traffic.Can anyone please provide me with a solution to this? It would be very helpful to me.Thanks in advance.

jrahm · Answer

Hi&nbsp;Saidur900,&nbsp;not tested, but to give an idea, you can use the table command to add a key of your random string to the session table, and then upon any other request, if the key is there, the connection will be dropped. I have an indefinite timer here, but the more random strings you have, the larger your memory footprint will grow over time, so be careful unless you're going to flush the table on occassion. I'd recommend a timeout far less, or at least have an automated process to flush the table. But...it's possible. Again, the code is untested, but should get you started. Note that this assumes the HTTP::path ends with your random string. If not, it will need to be adjusted.
when HTTP_REQUEST priority 500 {
    ### Assumes the random string completes the HTTP path! ###
    if {[string match "/api/info/ms*" [HTTP::path]]} {
        set key [string range $uri 13 end]
        if {[table lookup -- -subtable api_paths $key] != ""} {
            drop
        } else {
            table set -- -subtable api_paths $key 1 indefinite
        }
    }
}

mohamed_ahmed_kansoh · Answer

Hello&nbsp;Saidur900&nbsp;,&nbsp;you can create an iRule or LTM policy has two conditions ( Source ip of user B &amp; uri &gt;&gt; "xxx.com/api/info" )&nbsp;and take action of dropping.&nbsp;I see that device id is not suitable as it forces you that user A and B must run the injected java script in bigip first response to create device id in bigip.&nbsp;I believe that you need a static identifier for user B such as static ip address for it.&nbsp;

saidur900 · Answer

Hi&nbsp;Mohamed KansohThanks for your reply.Actually, I don't want to restrict any static identifier. I don't know how to do it, but the requirement is, when first Client A, is already served with the URL. Then any other device shouldn't get access with that same URL. Note that, the URL is not static either, it generates some random numbers such as&nbsp;"xxx.com/api/info/ms1672635"

mohamed_ahmed_kansoh · Answer

Hi&nbsp;Saidur900&nbsp;,&nbsp;no worries about changing in URI as you can use "starts_with" or "contains" operators if your uri not static.&nbsp;So now your requirement is ,&nbsp;you need only one connection in bigip to access this URI and anyother connection requests this uri should be dropped regardless Client A or B , you only need this URI to be accessed onetime for only exclusive connection through bigip , and if this connection fininshed or timeout , it's allowed for any client to access it.&nbsp;So one connection to this URL at a time ?&nbsp;

saidur900 · Answer

Hi KanoshYes, single connection to this url at a time. This url contains sensitive information, so need a solution. I dont understand where to start.

Forum Discussion

IRULE to restrict a specific url after initiated first session

6 Replies

Recent Discussions

Trouble with TCP::option set 28

CITRIX remote desktop solution using F5 APM

BIG-IP rseries license

LDAPS: intermittent login issues

VMWare Backups of active VEs?

Related Content

Proxy Protocol v2 Initiator

Office 365 Tenant Restrictions

Proxy Protocol Initiator

SSL Orchestrator Advanced Use Cases: Enabling GCloud Organization Restrictions

F5 iRule Geolocation restriction