Forum Discussion
MichaelMa_61351
Nimbostratus
NimbostratusBlock Referer in Shared F5
Hello,
We are using shared F5 appliance which service other www sites as well as ours. I would like to know, if it is possible by iRules or by other means in F5 to block a list of HTTP requests from a specific referrer (can be found in the HTTP packet in Layer 7) from getting to our www site without blocking the same referrer to other www sites in the F5.
Thanks,
Michael
10 Replies
- Yes, you could definitely do this. There are a couple of options.
The easiest would be to do this on a per Virtual basis, assuming you're on a separate VIP from the other sites on the device. If you are, then all you'd need is a simple iRule looking for the referrer and denying access accordingly.
If you're sharing a VIP with other sites, then you'd need to add some logic that first checks for the host of the incoming request to ensure that the request is bound for your application. Then you could use the same logic to determine if the referrer is in your deny list, and drop/reject as you see fit.
If you need some help getting this code started, let us know.
Colin 
Michael_YatesGeorge did a great write-up on Referral Tracking.
With minor modifications you could make this into a Blocking iRule for a specific Referrer.
http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086391/Referral-Tracking-With-iRules.aspx- Good find Michael.
Colin 
MichaelMa_61351Thank you all.
Is there a massive resource utilization on the F5 while processing this kind of iRules ?
our site has approximatly 500K - 600K hits per day.
Thanks,
Michael- Michael_YatesIf that is a concern (it is awesome that you are thinking efficiency and ability), then I would say....Test It.
There is no hard limit or soft limit to what each model of F5 can do. It all depends on how you are using it and everything else that is running on it. For you situation I would suggest looking at the following:
Timing - Teaches you how to measure different parts of an iRule (Processing Time)
http://devcentral.f5.com/wiki/default.aspx/iRules/timing.html
Overview of how to translate iRule Timing to CPU Cycles (they are different for each model and device, so you have to personalize it):
http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/3650/showtab/groupforums/Default.aspx
iRule Optimization 101 Article:
http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=123 - Awesome links Michael, and it's definitely good to think in terms of efficiency.
That being said, 600k hits per day is roughly 7 hits per second. I can't see having a problem with a relatively simple stats iRule. Drawing pretty graphs and whatnot would be more of a hit, but that wouldn't be for each request anyway, only on demand from an admin.
Colin - Auz_102504Thanks Guys for the info, can you provide a sample irule that would block a referer say google.com, I already know there are a number of unwanted referrals from a site and I just want to block referrals from a single domain and allow all others. Thanks again.
hoolioCirrostratus
Hi Auz,
Here's a simple example for that:when HTTP_REQUEST { if {[string tolower [URI::host [HTTP::header User-Agent]]] contains "google.com"}{ HTTP::respond 200 content {Blocked!} } }
Aaron- Auz_102504Thanks would this work?
when HTTP_REQUEST {
if {[string tolower [URI::host [HTTP::header referrer]]] contains "google.com"}{
HTTP::respond 200 content {Blocked!}
}
} - Auz_102504Thanks would this work?
when HTTP_REQUEST {
if {[string tolower [URI::host [HTTP::header referrer]]] contains "google.com"}{
HTTP::respond 200 content {Blocked!}
}
}
