Forum Discussion

MichaelMa_61351's avatar
MichaelMa_61351
Icon for Nimbostratus rankNimbostratus
May 02, 2011

Block Referer in Shared F5

Hello,

 

We are using shared F5 appliance which service other www sites as well as ours. I would like to know, if it is possible by iRules or by other means in F5 to block a list of HTTP requests from a specific referrer (can be found in the HTTP packet in Layer 7) from getting to our www site without blocking the same referrer to other www sites in the F5.

 

 

Thanks,

 

Michael

10 Replies

  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Yes, you could definitely do this. There are a couple of options.

     

     

    The easiest would be to do this on a per Virtual basis, assuming you're on a separate VIP from the other sites on the device. If you are, then all you'd need is a simple iRule looking for the referrer and denying access accordingly.

     

     

    If you're sharing a VIP with other sites, then you'd need to add some logic that first checks for the host of the incoming request to ensure that the request is bound for your application. Then you could use the same logic to determine if the referrer is in your deny list, and drop/reject as you see fit.

     

     

    If you need some help getting this code started, let us know.

     

     

    Colin
  • George did a great write-up on Referral Tracking.

     

     

    With minor modifications you could make this into a Blocking iRule for a specific Referrer.

     

     

    http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086391/Referral-Tracking-With-iRules.aspx

     

  • Thank you all.

     

    Is there a massive resource utilization on the F5 while processing this kind of iRules ?

     

    our site has approximatly 500K - 600K hits per day.

     

     

    Thanks,

     

    Michael

     

     

  • If that is a concern (it is awesome that you are thinking efficiency and ability), then I would say....Test It.

     

     

    There is no hard limit or soft limit to what each model of F5 can do. It all depends on how you are using it and everything else that is running on it. For you situation I would suggest looking at the following:

     

     

    Timing - Teaches you how to measure different parts of an iRule (Processing Time)

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/timing.html

     

     

    Overview of how to translate iRule Timing to CPU Cycles (they are different for each model and device, so you have to personalize it):

     

    http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/3650/showtab/groupforums/Default.aspx

     

     

    iRule Optimization 101 Article:

     

    http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=123
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Awesome links Michael, and it's definitely good to think in terms of efficiency.

     

     

    That being said, 600k hits per day is roughly 7 hits per second. I can't see having a problem with a relatively simple stats iRule. Drawing pretty graphs and whatnot would be more of a hit, but that wouldn't be for each request anyway, only on demand from an admin.

     

     

    Colin
  • Thanks Guys for the info, can you provide a sample irule that would block a referer say google.com, I already know there are a number of unwanted referrals from a site and I just want to block referrals from a single domain and allow all others. Thanks again.
  • Hi Auz,

    Here's a simple example for that:

    
    when HTTP_REQUEST {
    if {[string tolower [URI::host [HTTP::header User-Agent]]] contains "google.com"}{
    HTTP::respond 200 content {Blocked!}
    }
    }
    

    Aaron
  • Thanks would this work?

     

     

    when HTTP_REQUEST {

     

    if {[string tolower [URI::host [HTTP::header referrer]]] contains "google.com"}{

     

    HTTP::respond 200 content {Blocked!}

     

    }

     

    }

     

  • Thanks would this work?

     

     

    when HTTP_REQUEST {

     

    if {[string tolower [URI::host [HTTP::header referrer]]] contains "google.com"}{

     

    HTTP::respond 200 content {Blocked!}

     

    }

     

    }