Forum Discussion
Alexandre_Marko
Nimbostratus
NimbostratusBlock access to a pool if url not accessed from a trusted domain
Hello,
Here is the problem:
We have 2 websites, one with SSL and one in clear.
The F5 is ending ths SSL.
The 2 websites have their own Virtual Server with their own pool.
Actually we can access the 2 websites independantly.
We want to authorise the access to the second website (the one in http) only if we are accessing it from a link on the first website (in https).
Is there a way to get the origin of a user when accessing a website?
We could use this "variable" [probably in a HTTP_REQUEST irule] to allow or not the access to the pool.
Regards,
2 Replies
- nitass
Employee
is http referer header useful?
iRule Security 101 - 06 - HTTP Referer by Joe
http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/113/iRule-Security-101--06--HTTP-Referer.aspx 
hoolioCirrostratus
I don't think a browser will set a Referer header when transitioning from an HTTPS site to an HTTP site:
http://tools.ietf.org/html/rfc2616section-15.1.3
Clients SHOULD NOT include a Referer header field in a (non-secure)
HTTP request if the referring page was transferred with a secure
protocol.
And the referer header can easily be spoofed, so using it for authorization isn't a secure method.
If the two FQDNs are on the same domain, you could try setting a session cookie on the HTTPS virtual server and store that in a subtable. Then when a request is made to the HTTP virtual server, you could look for the cookie and check it against the subtable entries.
Aaron
