Need help on i-rule to specific uri path

Question

Hello All,&nbsp;I'm working on an i-rule that I need to do the following; given a set of specific source ip addresses, only allow access to specific uris of /ws/rest/external*.&nbsp;&nbsp;I set the specific source addresses in a data group, referencing the data group. When I apply this i-rule to the virtual server, on testing I get an Insecure HTTPS message. I am on version 15.8.1.2. We plan to upgrade to most stable release on 16 soon.&nbsp;&nbsp;Any suggestions on what I can do with the i-rule posted below? Thanks in advance.when CLIENT_ACCEPTED {&nbsp; if { [class match [IP::client_addr] equals Boomi_external] } {&nbsp; &nbsp; &nbsp;pool esd-bmapi-dc1-as01-f5.lanl.gov_8077_pool&nbsp;}}when HTTP_REQUEST {if ![HTTP::has_responded] {if { ([HTTP::host] equals "apigway-d.lanl.gov" or [HTTP::host] equals "apigway-d.lanl.gov") } {&nbsp; &nbsp; if { [HTTP::uri] starts_with "/ws/rest/external* &nbsp; &nbsp;" || [HTTP::uri] starts_with "/ws/rest/external*" } {&nbsp; &nbsp; pool esd-bmapi-dc1-as01-f5.lanl.gov_8077_pool&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; else { reject }&nbsp; &nbsp; return&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp;&nbsp; &nbsp; }&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;

sanjayp · Answer

Try belowwhen HTTP_REQUEST {
	    switch -glob [string tolower [HTTP::uri]] {
	        "/ws/rest/external*" {
            if { [class match [IP::client_addr] equals Boomi_external] } {
		    pool esd-bmapi-dc1-as01-f5.lanl.gov_8077_pool
			} else {
             reject
              }
	        } default {
            drop
	      }
         }
      }&nbsp;

aaronjb · Answer

The insecure HTTPS message is very unlikely to have been caused by your iRule - most likely it is because the server IP/name you are going to in order to reach the Virtual Server does not match the CN in the SSL certificate returned by the pool member.
&nbsp;
Regarding the iRule; I&nbsp;strongly suggest using [HTTP::uri -normalized] to ensure that your iRule cannot be bypassed by encoding slashes or other bypasses (e.g. //, //./, %2F etc) (everyone should be doing this, really!). Other than that, Sanjay's rule above should be more efficient.

zamroni777 · Answer

because the "else" is basicaly reject, you can just simply assing the pool to the virtual server and bind below traffic policy to the virtual server.

it is better to use local traffic policy instead of irules scripting due to better performance and avoid scripting typo.

cgwin12 · Answer

Sanjay and Aaron, thanks for your input.v I'm getting a little closer. On the initial HTTP GET request this i-rule is working. However, when the testers attempt a POST, they error out with the insecure message.&nbsp;I have pasted the new i-rule below. I also added logging to find out why the connection is getting reset.&nbsp;The output of the log is also below the i-rule. It is the result of running a tail. It is run, greping the i-rule.&nbsp;tail -f /var/log/ltm | grep /Common/Boomi_external_redirectThanks for your input so far, we're close.&nbsp;&nbsp;when CLIENT_ACCEPTED {&nbsp; if { [class match [IP::client_addr] equals Boomi_external] } {&nbsp; &nbsp; &nbsp;pool esd-bmapi-dc1-as01-f5.lanl.gov_8077_pool&nbsp;}}when HTTP_REQUEST {&nbsp; &nbsp; &nbsp; &nbsp; switch -glob [string tolower [HTTP::uri -normalized]] {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "/ws/rest/external*" {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if { [class match [IP::client_addr] equals Boomi_external] } {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; pool esd-bmapi-dc1-as01-f5.lanl.gov_8077_pool&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; } else {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;reject&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; } log local0. "HTTP::reject_reason"&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; } default {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; log local0. "HTTP Headers = [HTTP::host], [HTTP::uri]"&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;}&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;}&nbsp; &nbsp; &nbsp; }&nbsp;OUTPUT OF THE ERROR:&nbsp;May 23 09:22:41 bigip1.lanl.gov err tmm1[22445]: 01220001:3: TCL error: /Common/Boomi_external_redirect &lt;HTTP_REQUEST&gt; - wrong # args: extra words after "else" clause in "if" command&nbsp;&nbsp;&nbsp;&nbsp; while compiling "if { [class match [IP::client_addr] equals Boomi_external] } {&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; pool esd-bmapi-dc1-as01-f5.lanl.gov_8077_pool&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; } else {&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; reject&nbsp;&nbsp;&nbsp; ..."&nbsp;&nbsp;&nbsp;&nbsp; ("/ws/rest/external/*" arm line 2)&nbsp;&nbsp;&nbsp;&nbsp; invoked from within "switch -glob [string tolower [HTTP::uri -normalized]] {&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"/ws/rest/external/*" {&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if { [class match [IP::client_addr] equals Boomi_..."&nbsp;&nbsp;&nbsp;

cgwin12 · Answer

Thanks, zamroni. I realized I needed to add some additional lines, per F5s recommendation for software releases after v14. This is per https://my.f5.com/manage/s/article/K23237429.I like your suggestion about the local traffic policy. I will try that next time I get these requests.&nbsp;&nbsp;So it works with my i-rule as shown:when CLIENT_ACCEPTED {&nbsp; if { [class match [IP::client_addr] equals Boomi_external] } {&nbsp; &nbsp; &nbsp;pool esd-bmapi-dc1-as01-f5.lanl.gov_8077_pool}}when HTTP_REQUEST {&nbsp;if ![HTTP::has_responded] {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; switch -glob [string tolower [HTTP::uri -normalized]] {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "/ws/rest/external*" {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if { [class match [IP::client_addr] equals Boomi_external] } {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;pool esd-bmapi-dc1-as01-f5.lanl.gov_8077_pool&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; } else {&nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;reject&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; } log local0. "HTTP::reject_reason"&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; } default {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; log local0. "HTTP Headers = [HTTP::host], [HTTP::uri]"&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; return&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }}&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;}&nbsp; &nbsp; &nbsp; }&nbsp;&nbsp;

Forum Discussion

Need help on i-rule to specific uri path

6 Replies

Recent Discussions

Deny access to F5 management from specific addresses

ldap vip using a F5 template

Send Client HTTP Request to Pool And Send HTTP Response From BIG-IP to Client.

BigIP UCS Backup script; looking for some guidance on design

Rewrite profile statistics in ltm

Related Content

i-rule header insert - APM

I-rule for adapt request "response page"

Disabling Specific Weak Cipher Suites

How do I know the rule name of the blocked rule ID in AWS F5 WAF?

Load balancing method specific decision