1. 编辑工具 - F5-iRule Editor
if 用法及log日志打印
when HTTP_REQUEST { # successed if {[HTTP::uri] contains "/soap/abc?action=save"} { reject } # successed log if {[HTTP::uri] contains "/soap/bee?action=save"} { log local0. "-------soap/bee----------" log local0. "HTTP::uri:[HTTP::uri]" log local0. "HTTP::path:[HTTP::path]" log local0. "HTTP::query:[HTTP::query]" log local0. "HTTP::method:[HTTP::method]" } # successed switch -glob [string tolower [HTTP::uri]] { "/soap/fuleyou?action=save" { switch -glob [string tolower [HTTP::method]] { "post" { reject } "get" { log local0. "-------soap/fuleyou----------" log local0. "HTTP::uri:[HTTP::uri]" log local0. "HTTP::path:[HTTP::path]" log local0. "HTTP::query:[HTTP::query]" log local0. "HTTP::method:[HTTP::method]" } } } }
2. switch用法
#F5规则根据路径path屏蔽相关接口
when HTTP_REQUEST { set s_path [HTTP::path] set s_query [HTTP::query] switch -glob [string tolower $s_path] { "/soap/pswd" { switch -glob [string tolower $s_query] { "action=sign*" { reject } "action=logout*" { reject } "action=reset*" { reject } "action=update*" { reject } } }
}
3. F5-ip 白名单
ip_block_irules ( my_whitelist为自定义的 data group list)
when CLIENT_ACCEPTED { if {[ class match [IP::client_addr] equals my_whitelist ]} { pool pool-app } else {reject} }