Follow

Q&A: Is it possible to control URL access with iRule?

 

Question

 Is it possible to control URL access with iRule?

 

Environment

  • Silverline WAF
  • Silverline DDoS
  • iRule

 

Answer

Yes, this is possible with the use of below iRule:

when HTTP_REQUEST priority 300 {
if { ([class match -- [string tolower [HTTP::uri]] equals "/example/uri"]) && (![class match -- [IP::client_addr] equals [call ag_info0::datatable_name example_ip_datatable]]) } {
set agl [call ag_log0::open -rulename URI_whitelist_name -rulever 1]
call ag_log0::http_kvp $agl INFO action "IP have been blocked."
drop
}
}

This iRule can be deployed with logic:

  • equals - The URI specified as in example /example/uri must be exact match on incoming HTTP request to trigger.
  • contains - The incoming HTTP URL string will be scanned for example /example/uri and check is there a match.
  • starts_with - The incoming HTTP request URL will be scanned does it starts with /example/uri.

 

Above iRule will control access to given URI resource and give access only to IPs that are present in created IP datatable (eg. example_ip_datatable).

Note:

It is possible to remove "drop" command and replace it with "ASM::Disable" for example to whitelist IP's only on WAF, in above example with "drop" incoming connecting clients will still be scanned by WAF. 

 

How to deploy iRule

In order to deploy the iRule, provide the SOC with following:

1. Name for the iRule.

2. Name for the IP datatable for IP whitelist.

3. URI that needs to be access controlled.

 

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request