Forum Discussion

Chronos_258816's avatar
Chronos_258816
Icon for Nimbostratus rankNimbostratus
Jul 28, 2016

Host Header Validation

Greetings,   I have been tasked with crafting an iRule to validate the host header of incoming packets to a given virtual server. I have tried a few different irules to attempt this an yet I am t...
iRules
Security
  • VernonWells's avatar
    VernonWells
    Jul 28, 2016

    A data-group is a convenience rather than a necessity.

    I tried the following on 11.5.4:

     

     

    when HTTP_REQUEST {
    if { [HTTP::host] ne "xyz.com" } {
        reject
    }
}

     

     

    I tried all of the following combinations:

    1. HTTP/1.1 Host header xyz.com;
    2. HTTP/1.1 Host header foo.com;
    3. HTTP/1.0 no Host header;
    4. HTTP/1.1 Host header xyz.com followed by HTTP/1.0 no Host header;
    5. HTTP/1.1 Host header xyz.com followed by HTTP/1.1 Host header foo.com

    Case 1: allowed;

    Case 2: rejected (i.e., TCP RST);

    Case 3: rejected;

    Case 4: allowed then rejected;

    Case 5: allowed then rejected.

    Incidentally, if a pool is assigned to the VS, then the else clause isn't needed (it's the default anyway).

    Having said all of that, your issue may be relate to this note, found in the reject explanation:

     

    Subsequent code in the current event in the current 
iRule or other iRules on the VS are still executed 
prior to the reset being sent.

     

    I recommend putting a return after the reject.

     

VernonWells's avatar
VernonWells
Icon for Employee rankEmployee
Jul 28, 2016

HTTP_REQUEST should fire on each received HTTP Request message (strictly speaking, once the HTTP Request headers are fully received) regardless of the OneConnect setting. To demonstrate this, I use the following rule:

 

when HTTP_REQUEST {
    log local0. "Received Host header: [HTTP::host]"
}

 

On a VS without OneConnect, I do the following:

  1. Single request for Host = aaa.com in single connection; then
  2. Request for bbb.com, then ccc.com, then ddd.com in a single connection.

This is what the log looks like after these two connections, which collectively include four requests:

 

Rule /Common/rule-validate-host : Received Host header: aaa.com
Rule /Common/rule-validate-host : Received Host header: bbb.com
Rule /Common/rule-validate-host : Received Host header: ccc.com
Rule /Common/rule-validate-host : Received Host header: ddd.com

 

Then I apply OneConnect to the same VS and repeat the tests. The logs:

 

Rule /Common/rule-validate-host : Received Host header: aaa.com
Rule /Common/rule-validate-host : Received Host header: bbb.com
Rule /Common/rule-validate-host : Received Host header: ccc.com
Rule /Common/rule-validate-host : Received Host header: ddd.com

 

The long-and-short: HTTP_REQUEST fires on each Request message regardless of Keep-Alive and OneConnect.