For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Alexandre_Marko's avatar
Alexandre_Marko
Icon for Nimbostratus rankNimbostratus
Dec 02, 2011

Block access to a pool if url not accessed from a trusted domain

Hello,     Here is the problem:   We have 2 websites, one with SSL and one in clear.   The F5 is ending ths SSL.       The 2 websites have their own Virtual Server with their own po...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Dec 02, 2011
I don't think a browser will set a Referer header when transitioning from an HTTPS site to an HTTP site:

 

 

 

http://tools.ietf.org/html/rfc2616section-15.1.3

 

 

Clients SHOULD NOT include a Referer header field in a (non-secure)

 

HTTP request if the referring page was transferred with a secure

 

protocol.

 

 

 

And the referer header can easily be spoofed, so using it for authorization isn't a secure method.

 

 

If the two FQDNs are on the same domain, you could try setting a session cookie on the HTTPS virtual server and store that in a subtable. Then when a request is made to the HTTP virtual server, you could look for the cookie and check it against the subtable entries.

 

 

Aaron
Related Content