Forum Discussion
George_Daly_322
Nimbostratus
NimbostratusDrop HTTP GET request based on host
I'm trying to do a simple iRule where if the HTTP request contains a particular address the connection is dropped. This is to prevent a shared webserver from being DDOS'd due to HTTP GETs to a partic...
hoolio
Cirrostratus
CirrostratusIf you use reject, instead of TCP::release, the TCP connection will be reset.
when HTTP_REQUEST {
if { [string tolower [HTTP::host]] contains "domain.com" }{
Reset the TCP connection
reject
End processing this rule event
return
}
}
It might be more secure to positively define which host header values you do want to allow and send a reset for all others. You could do this for a single host as you've done above, or create a list of the allowed host header values in a datagroup (called a class in the bigip.conf).
Single allowed hostname:
when HTTP_REQUEST {
if { not ([string tolower [HTTP::host]] contains "allowed.domain.com")}{
Reset the TCP connection
reject
End processing this rule event
return
}
}
Multiple allowed hostnames defined in a datagroup called allowed_hostnames:
when HTTP_REQUEST {
if { not ([matchclass [string tolower [HTTP::host]] contains $::allowed_hostnames])}{
Reset the TCP connection
reject
End processing this rule event
return
}
}
Aaron
