Forum Discussion
Valentine_96813
Nimbostratus
NimbostratusBlock Domain redirect
I have an instance where someone has created a derrogatory subdomain in external DNS and is redirecting to one of our production VSs. Is there a way to log/block redirects from a specific subdomain in an iRule.
7 Replies
- Hi Valentine,
Something like this should do the trick:when HTTP_REQUEST { if { [HTTP::host] equals "somebaddomain.com" } { send a TCP reset reject alternatively, redirect somewhere else HTTP::redirect "http://www.somedomainyoufindentertaining.com" } }
If there's a whole list of domains you want to apply this functionality to, you can create a datagroup holding the domains and potentially different actions for each of them.
-George - Hi Valentine,
With a little further hacking this is what Colin and I came up with. It will allow you to blacklist an entire domain and its subdomains (www.sea.webcluster1.f5.com will always match f5.com). You'll want to create a datagroup containing the list of base domains (f5.com, example.com, etc.). Then add the datagroup name to the top of the iRule in the RULE_INIT section and you should be good to go. Here is the code:ltm data-group internal /Common/domain_blacklist { records { anotherbaddomain.com { } somebaddomain.com { } } type string } ltm rule /Common/http_domain_blacklist { when RULE_INIT { set static::domain_blacklist_dg "domain_blacklist" set static::debug 1 } when HTTP_REQUEST { grab the base domain (top level plus subdomain) from HTTP::host set base_domain [join [lrange [split [HTTP::host] .] end-1 end] .] if { [class search $static::domain_blacklist_dg equals $base_domain] } { if { $static::debug > 0 } { log local0. "[IP::remote_addr] attempted to access a blacklisted_domain: $base_domain" } send a TCP reset reject } } }
Now if someone resolves somebaddomain.com, www.somebaddomain.com, or www.web1.gtm.somedc.somebaddomain.com and it points at the virtual with this iRule, the browser will receive a TCP reset.
-George 
nitass_89166Noctilucent
this is another example.[root@ve1023:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.65.152:http ip protocol tcp rules myrule profiles { http {} tcp {} } } [root@ve1023:Active] config b rule myrule list rule myrule { when HTTP_REQUEST { if {[class match -- [string tolower [HTTP::host]] starts_with domain_blacklist]}{ log local0. "[IP::client_addr]:[TCP::client_port]|[HTTP::host]|[HTTP::uri]" reject } } } [root@ve1023:Active] config b class domain_blacklist list class domain_blacklist { { "anotherbaddomain" "somebaddomain" } } [root@ve1023:Active] config curl -I http://somebaddomain.abc.com/ curl: (52) Empty reply from server [root@ve1023:Active] config Nov 15 23:30:47 local/tmm info tmm[4766]: Rule myrule : 172.28.65.150:41065|somebaddomain.abc.com|/ [root@ve1023:Active] config curl -I http://anotherbaddomain.abc.com/ curl: (52) Empty reply from server [root@ve1023:Active] config Nov 15 23:30:53 local/tmm info tmm[4766]: Rule myrule : 172.28.65.150:41067|anotherbaddomain.abc.com|/
SnlCirrostratus
Hi Nitass
The irule example provided can block source based domain or destination?
i am looking for similar irule where want to block specific source domains using data group list towards destination domain xyz.com which hosted on my F5
example block abc.com domain as source(initiate request) to access xyz.com domain
BR/
snl
- nitass
Employee
this is another example.[root@ve1023:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.65.152:http ip protocol tcp rules myrule profiles { http {} tcp {} } } [root@ve1023:Active] config b rule myrule list rule myrule { when HTTP_REQUEST { if {[class match -- [string tolower [HTTP::host]] starts_with domain_blacklist]}{ log local0. "[IP::client_addr]:[TCP::client_port]|[HTTP::host]|[HTTP::uri]" reject } } } [root@ve1023:Active] config b class domain_blacklist list class domain_blacklist { { "anotherbaddomain" "somebaddomain" } } [root@ve1023:Active] config curl -I http://somebaddomain.abc.com/ curl: (52) Empty reply from server [root@ve1023:Active] config Nov 15 23:30:47 local/tmm info tmm[4766]: Rule myrule : 172.28.65.150:41065|somebaddomain.abc.com|/ [root@ve1023:Active] config curl -I http://anotherbaddomain.abc.com/ curl: (52) Empty reply from server [root@ve1023:Active] config Nov 15 23:30:53 local/tmm info tmm[4766]: Rule myrule : 172.28.65.150:41067|anotherbaddomain.abc.com|/- Snl
Hi Nitass
The irule example provided can block source based domain or destination?
i am looking for similar irule where want to block specific source domains using data group list towards destination domain xyz.com which hosted on my F5
example block abc.com domain as source(initiate request) to access xyz.com domain
BR/
snl
hoolioOr create a whitelist of acceptable host header values and block everything else. You can use negated logic from Nitass and George's examples to do this.
Aaron
