For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Apr 25, 2014

Interesting idea. I think the question boils down to what you can send to a browser that other sites can see. Historically, there are only a few ways to do this, and probably the most popular would be a domain cookie. This is a cookie sent by a server that has a domain attribute. Example:

Set-Cookie: foo=bar; path=/; domain=domain.com

It's basically an expanding scoping mechanism that allows the browser to share this cookie across hosts that match the specified domain pattern.

www.domain.com
foo.domain.com
bar.domain.com
...

If that's the situation you have, then the answer could be pretty straight forward.

On the first 2 VIPs:

when HTTP_REQUEST {
    if { not ( [HTTP::cookie exists MYSITES] ) } {
        HTTP::respond 302 Location "http://[HTTP::host][HTTP::uri]" "Set-Cookie" "MYSITES; path=/; domain=domain.com"
    }
}

If the client accesses the VIP and doesn't have this cookie, then it'll get an immediate redirect loop that sets the cookie. On the other website (that users shouldn't be able to access without going to either of the first two first):

when HTTP_REQUEST {
    if { not ( [HTTP::cookie exists MYSITES] ) } {
        HTTP::redirect "...somewhere else..."
    }
}

By virtue of not having visited either of the other VIPs, access to this VIP would get an immediate redirect to the URL of your choice. I'll also comment that for the sake of simplicity, the first iRule just sets the cookie based on initial access, not valid APM authentication. You'd need a slightly different mechanism to set this cookie after authentication.