Forum Discussion
Tony_Bushell_90
Nimbostratus
NimbostratusHow to reject based on an IP?
hi -
I have a customer who is trying to publish a http site but they want to reject any requests that come if someone just uses the IP address or some other DNS A or cname, and i was hoping someone could point me in the right direction.
thanks!
hoolioCirrostratus
Hi Tony,
If you create a datagroup (type: string) of legal or illegal HTTP host header values you can use an iRule like this to check the requested Host header value against it. You can also add a check to see that the Host header value isn't an IP address:when HTTP_REQUEST { Check the Host against a datagroup of legal host header values if {not ([matchclass [string tolower [HTTP::host]] equals legal_host_headers_class])}{ HTTP::respond 403 content {Forbidden!} return } Check the Host against a datagroup of illegal host header values if {[matchclass [string tolower [HTTP::host]] equals illegal_host_headers_class]}{ HTTP::respond 403 content {Forbidden!} return } Check if the Host is an IP address, blank or non-existent if {not ([string match {*[a-zA-Z]*} [HTTP::host]])}{ HTTP::respond 403 content {Forbidden!} } }
Aaron
Tony_Bushell_90thanks, Aaron - will ask my customer to try this out and will report back- hoolioMake sure to customize the iRule as the customer needs. For example, you probably wouldn't bother with a black list of HTTP hosts if you're using a white list. Also, you may not want to block clients who don't send any host header as one isn't required for HTTP 1.0.
Aaron