Integrations

One of our web services had a common API endpoint that was discoverable and regularly being probed. The service needed to remain public, but Infosec asked us to figure out a way to lock it down further. After discussing with the application developers, we determined the routes that needed to remain open had unique paths beneath the commonly known routes. If we could match requests with those unique routes and drop the rest, it would satisfy the request from Infosec.

Since the service is behind an F5 load balancer, we created a data group list with the URIs we wanted to match against (e.g. /api/common/notsocommon/ and /api/common/evenlesscommon). Then, we wrote an iRule with the text below. Note that this assumes the data group list is named dg_test.

when HTTP_REQUEST {
    if { not [class match [string tolower [HTTP::uri]] starts_with dg_test] }{
        HTTP::respond 403 content "URL Blocked"
        return
    } 
    else { 
        return
    }
}

It's not perfect, but it does help us distinguish between IPs that are probing the service and those that legitimately need to access it.