Forum Discussion

Alexandre_Marko's avatar
Icon for Nimbostratus rankNimbostratus
Dec 02, 2011

Block access to a pool if url not accessed from a trusted domain




Here is the problem:


We have 2 websites, one with SSL and one in clear.


The F5 is ending ths SSL.




The 2 websites have their own Virtual Server with their own pool.




Actually we can access the 2 websites independantly.




We want to authorise the access to the second website (the one in http) only if we are accessing it from a link on the first website (in https).




Is there a way to get the origin of a user when accessing a website?


We could use this "variable" [probably in a HTTP_REQUEST irule] to allow or not the access to the pool.






2 Replies

  • is http referer header useful?



    iRule Security 101 - 06 - HTTP Referer by Joe

  • I don't think a browser will set a Referer header when transitioning from an HTTPS site to an HTTP site:






    Clients SHOULD NOT include a Referer header field in a (non-secure)


    HTTP request if the referring page was transferred with a secure






    And the referer header can easily be spoofed, so using it for authorization isn't a secure method.



    If the two FQDNs are on the same domain, you could try setting a session cookie on the HTTPS virtual server and store that in a subtable. Then when a request is made to the HTTP virtual server, you could look for the cookie and check it against the subtable entries.