Using array of URLs to block access?

PjarInk

Hello

I'm having issues with creating an aflex that has an array of urls that I want to block access to through the AX.

I don't know how to handle the array correctly. I want to redirect to the site root whenever someone tries to access these urls.
I've tried different variants of this script (that I tried to construct with the help of Mr. Google):

when RULE_INIT { array set ::BACKEND [list "/url1" "/url2" "/url3" etc] } when HTTP_REQUEST { if { [HTTP::uri] starts_with ::BACKEND } { HTTP::redirect http://[HTTP::host] } }

mischa

What does the aFleX need to do? Redirect to root for all these URIs?
I would suggest to use class-lists if the list gets very long.

################################################# # # Redirect w/ class-lists # (c) A10 Networks -- MP # v1 20140204 # ################################################# # # aFleX script to do redirection with a class-list. # # The class-list for the redirects is called # "cl-uris" (default) of type "string" and has # to contain the following data: # str # # For example: # str /uri1 # str /uri2 # # Scalability of this aFlex is unknown. # # Questions & comments welcome. # mpeters AT a10networks DOT com # ################################################# when RULE_INIT { set ::DEBUG 0 set ::URIS "cl-uris" } when HTTP_REQUEST { set URI [string tolower [HTTP::uri]] if { [CLASS::match $URI starts_with $::URIS] == 1 } { HTTP::redirect http://[HTTP::host] if { $::DEBUG == 1 } { log "Redirected: $URI" } } }

PjarInk

Thanks! I will try that instead.

It's 27 URIs at the moment and I don't think it will grow much or at all over time. All of them should redirect to site root.

The "aflex optimization" page needs an update if class lists are better than arrays. It has some other syntax errors on there as well...

By the way, where do I specify the class list and how? I hav enever used them before and I can't find anything on how to set the list in the aflex reference document. (For 2.7)

mischa

Pierre, in regards to class-lists or arrays it really depends what needs to happen.

PjarInk

Sorry, I updated the post with the answers, I forgot to put them in at first

PjarInk

I found out that I could create the class list in cli. It seems to be working, it's just that it keeps the url in the browser and when applied to https it doesn't redirect to http.

Any idea why?

PjarInk

Can you perhaps do it with a 301 response?

PjarInk

Another issue is that firefox and IE thinks the response is corrupted and shows nothing when this is triggered, chrome works somewhat better but not as expected.

I also tried with HTTP::respond 301 Location "http://HTTP::host" but it reacts the same.

PjarInk

I solved it, the HTTP::host has to be in brackets like [HTTP::host]. The code-tag you can use on forums removes it in the example below, if I edit the post I can see the brackets!

when RULE_INIT { set ::DEBUG 1 set ::URIS "cl-uris" } when HTTP_REQUEST { set URI [string tolower [HTTP::uri]] if { [CLASS::match $URI starts_with $::URIS] == 1 } { HTTP::redirect http://[HTTP::host] if { $::DEBUG == 1 } { log "Redirected: $URI to http://[HTTP::host]" } } }

mischa

Sorry, yes... you are completely right.

kaz

Hi,
I want to have the similar rule.
So I tested this rule but does not seem to be working, does not redirect with match.
When it hit, stats shows total execution for RULE_INIT 1, HTTP_REQUEST 34, and 34 aborts, and no log found on Debug.

mischa

Did you use the same script? Including the class-list?
Can you share the script you are using? The abort usually indicates that a certain variable wasn't found. See if "show aflex debug" tells you something.

kaz

I put the exact same rule on port 443,
hit "https://host/cl-uris"
see https://host/cl-uris, not http redirect.

I am using 2.7.0-P2-SP1(build: 5).
Thanks.

mischa

From your post it's not 100% clear what is happening.
Can you include the aFleX and some config of the Virtual Server.

kaz

So what I did was,

slb virtual-server VIRTUALHOSTNAME 10.12.12.12
port 80 http
...
port 443 https
...
aflex class-list


The aflex rule class-list is the exact same rule as above.

I hit https://VIRTUALHOSTNAME/cl-uris
I expect to be redirected to http://VIRTUALHOSTNAME but I got https://VIRTUALHOSTNAME/cl-uris

Is this more clear?
Thanks.

mischa

The URI "/cl-uris" is not the actual URI the script is looking at.
With the script you need to create a class-list on the unit with something like:

class-list cl-uris string str /uri-that-triggers-redirect !

So as soon as you do http://virtualhost/uri-that-triggers-redirect you will be redirected to http://virtualhost

If this is only for a single URI you want to do this you can use:
when RULE_INIT { set ::DEBUG 0 } when HTTP_REQUEST { if { [string tolower [HTTP::uri]] eq "/uri-that-triggers-redirect" } { HTTP::redirect http://[HTTP::host] if { $::DEBUG == 1 } { log "Redirected: [HTTP::uri]" } } }

mischa

Make sure you use the attached file as the forum cuts some of the characters.

kaz

Oh yeah, need a list...
But where can I put that list of strings?
F5 have data groups, but I don't see the similar item for A10.

Basically, I want to redirect to https for some list of directories, and redirect http for not on the list.
Thanks.

mischa

The class-lists, unlike the data groups, don't go into the aFleX it self. They are part of the device configuration, so you can create this list separately without touching the aFleX script.
Can you provide some examples of the redirects you want to do, as the script might not cover all your requirements.