Forum Discussion
NimbostratusHttp header
Hi
There is a requirment to write an iRule for below
To capture HTTP header of each request and only allow them if it has valid DNS header host section
Will below work?
Data-Group
class Valid_DNS { "abc.com" "efg.com" }
when HTTP_REQUEST { if { [matchclass [HTTP::host] equals $::Valid_DNS] } {
return } else{ reject } }
4 Replies
The
function seems to be a deprecated function. Try using thematchclass
function. In this post you'll find an iRule which you can use:class matchhttps://devcentral.f5.com/questions/request-url-matching-by-data-group
Andy_McGrathCumulonimbus
You should be able to do this in a LTM Policy which would likely be more effective for a small number for FQDN's
LTM Policies Getting Started 12.1.0
Thanushka_Wije1Unfortunately below iRule is not executing and generating TCL errors
when HTTP_REQUEST { if { [class match [HTTP::host] equals $::Valid_DNS] } {
accept } else { drop }} My requirement is to mitigate host header redirection attacks (HTTP redirection protection), I'm running on 11.6.2 HF1, unfortunately not having ASM licence.
Any idea how can I achieve above using data-group and irule.
Like I said earlier the syntax has changed. This also applies to the use of external classes. In your case, create a datagroup Valid_DNS via the WebUI. And use an iRule like this:
when HTTP_REQUEST { if { not [class match [HTTP::host] equals Valid_DNS] } { drop } }
