Forum Discussion
NimbostratusBlacklisting HTTP Trafic iRule "leak" some matching requests to the backend servers
Hi,
Suddenly having the need to add some per-referer filtering capabilities to our setup i created the following iRule, based on our IP blacklist iRules:
when HTTP_REQUEST {
Check if referer is in blacklist Datagroup
if { [class match [HTTP::header "Referer"] contains _phx_referer_blacklist] }{
pool _pool_empty
persist none
event disable all
HTTP::respond 403 content "Unauthorized Access" "Content-Type" "text/html" "Connection" "close"
TCP::close
Uncomment the line below to turn on logging.
log local0. "Blacklisted Referer [HTTP::header "Referer"] for client IP: [IP::client_addr] '[HTTP::method] [HTTP::host][HTTP::uri]' - discarding"
}
}
The iRule correctly match and discard 90% of the requests like this:
Jan 16 16:35:18 lb1 info tmm[19473]: Rule /Common/_rule_phx_http_referer_blacklist : Blacklisted Referer http://www.a2r-media.com/boost/afficheframe.php for client IP: 158.169.xx.yy 'GET ' - discarding
However some requests does find a way to the backends servers.
130.79.yy.xx - - [16/Jan/2018:16:46:48 +0100] "GET / HTTP/1.1" 200 36229 "; "Mozilla/5.0 (Windows NT 6.1; rv:49.0) Gecko/20100101 Firefox/49.0"
I am a bit puzzled, how could this be possible ...
youssef1Cumulonimbus
Hello Benoit,
"event disable all" it is necessary? do you have others irule who uses the same event on the same vs?
because the risk that there may be, if you are redirecting the client back to the same virtual server, you may face situations where the client uses the same connection. This in turn means no further events will be executed, because of disabling all events for that given connection.
and therefore your restriction does not work...
Regards