Forum Discussion
NimbostratusBest way to deny access to URL
I have VIP Dallas. This VIP has a pool member of 10.1.1.1. I have another VIP NY. This VIP has pool member 10.2.1.1. VIP NY has 2 uri: NYC and Albany. On server 10.1.1.1, there are 2 links: https://ny.abc.com/nyc and https://ny.abc.com/albany. The requirement is only allow access to VIP NY via these links. Clients cannot access VIP NY directly. On VIP NY, I tried to filter based on cookie and referer. Both did not work. Any suggestions?
4 Replies
Assuming all the links in those applications are prefaced with those uris:
when HTTP_REQUEST { if { !(([string tolower [HTTP::uri]] starts_with '/nyc') || ([string tolower [HTTP::uri]] starts_with '/albany')) } { HTTP::respond 403 } }
EastCoast_16835Altostratus
I would recommend to be careful when using iRules for security purposes like URL authorization. If URL parts are encoded this rule can be easily bypassed. You would need either to decode the URL properly (may require multiple rounds) or to use ASM signatures that do perform this decoding automatically. UPDATE: I think there is also a possibility to use ASM "Allowed URL" feature with the action "Block". Not sure whether it does URL decoding though.- Yes, ASM is probably the best answer if there is a security concern, and not just a programmatic exercise.
saidshow_251381Cirrostratus
Hi xbox360, I had a similar issue where I wanted to apply an action based on the URL. I did this via the ASM policy, when filtering by referrer I needed to mark as 'do nothing' and then the URL specified from the referrer specified passed through. In your case you want to block connections with a similar rule. My case is noted here, I hope something there may help: https://devcentral.f5.com/questions/allowed-url-however-its-still-being-blocked?
