Forum Discussion
AltostratusGrant Access To Users Based on Referer Header Value
I want to grant access to users based on a referrer value and to redirect them to login if the referrer is invalid. This is not meant to be a security fix though, it is just to ensure users access the application FROM the company portal which they must login to. According to the config below:
when HTTP_REQUEST {
switch -glob [HTTP::header "Referer"] {
"http://click.bank.com/dashboard.php" {
Coming from the right page. Allow Request to go through...
if { [string tolower [HTTP::uri]] ends_with "/eod" } {
pool BankAppPool member 10.10.1.51 8888
log local0. "Requested path - admin sent to App1"
log local0. "clientIP:[IP::client_addr] accessed [HTTP::host][HTTP::uri]"
HTTP::redirect "/forms/frmservlet?config=ref&serveruserparams=NLS_LANG=AMERICAN_AMERICA.AR8MSWIN1256&otherparams=P_WST_LAN_IND=1+P_BANKS_APP_URL=http://10.10.1.51:9001/banks"
HTTP::redirect "http://10.10.1.51:9001/forms/frmservlet?config=ref&serveruserparams=NLS_LANG=AMERICAN_AMERICA.AR8MSWIN1256&otherparams=P_WST_LAN_IND=1+P_BANKS_APP_URL=http://10.10.1.51:9001/banks"
} elseif { [string tolower [HTTP::uri]] ends_with "/" }{
log local0. "Requested path - distribute Round robin"
HTTP::redirect "http://pam.bank.com:9001/forms/frmservlet?config=ref&serveruserparams=NLS_LANG=AMERICAN_AMERICA.AR8MSWIN1256&otherparams=P_WST_LAN_IND=1+P_BANKS_APP_URL=http://10.10.1.57:9001/banks"
log local0. &8220;Requested path - banks"
}
}
"" {
redirect to login page
HTTP::redirect "http://click.bank.com/index.php?resp_id=MLG"
}
default {
redirect to login page
HTTP::redirect "http://click.bank.com/index.php?resp_id=MLG"
}
}
}
The redirect is working very fine as defined but the application accepting the request for valid navigation fails to load. It just hangs indefinitely. It works fine without the referrer-based redirect but, once the referrer check is introduced, it doesn't load. Is there something I'm missing in the iRule definition? Please help. Thank you!
3 Replies
jgranieriNimbostratus
You can do this much easier with LTM Policies... they are basically these types of irules built using the GUI.
Try it it will be much easier to implement. i think there might be some contention with the switch statement and then if's. i'd recommend using exclusive if/elseif's or trying the ltm policy
Vijay_ECirrus
You are redirecting to an IP address 10.10.1.51 - do all clients have the route to get to this IP address ?
- Tosin_Omojola
This is the final solution that worked:
I created another VS 10.10.1.60 ( and a subdomain that points to the IP) and added this iRule to it:
when HTTP_REQUEST { set referrer_host [URI::host [HTTP::header value Referer]] if { ($referrer_host ne "") and ($referrer_host eq "click.sbank.com") } { if { [string tolower [HTTP::uri]] ends_with "/eod" } { HTTP::redirect "http://pam.banks.com/eod" } elseif { [string tolower [HTTP::uri]] ends_with "/" }{ HTTP::redirect "http://pam.bank.com" } } else { HTTP::redirect "http://click.bank.com/index.php?resp_id=MLG"} }Then, on the main VS hosting the resource pam.banks.com, the normal iRule remains.
when HTTP_REQUEST { if { [string tolower [HTTP::uri]] ends_with "/eod" } { HTTP::redirect "http://10.10.1.51:9001/forms/frmservlet?config=ref&serveruserparams=NLS_LANG=AMERICAN_AMERICA.AR8MSWIN1256&otherparams=P_WST_LAN_IND=1+P_BANKS_APP_URL=http://10.10.1.51:9001/banks" } elseif { [string tolower [HTTP::uri]] ends_with "/" }{ HTTP::redirect "http://pam.bank.com:9001/forms/frmservlet?config=ref&serveruserparams=NLS_LANG=AMERICAN_AMERICA.AR8MSWIN1256&otherparams=P_WST_LAN_IND=1+P_BANKS_APP_URL=http://10.10.1.57:9001/banks" } }That delivers the desired solution...
