Forum Discussion

Joe_Pipitone's avatar
Joe_Pipitone
Icon for Nimbostratus rankNimbostratus
May 19, 2015

iRule - conflicting with IE

I have the following iRule which inserts headers for HSTS, checks 2 data group lists for "referer_check_filetypes" and "referer_allowed_hosts" - those are simply our websites and PDF file types which essentially allow the browser to download a PDF once a user is logged in, as long as they come from a website on the allowed hosts data group list. This iRule also forces SSL traffic.

 

The issue we are experiencing is - when a user visits a page, they login, and a download is supposed to immediately happen. With this code, in Internet Explorer ONLY, a new tab opens up and the website's homepage is displayed. On the previous tab, the user is allowed to download the PDF.

 

If I remove the referrer and file type checks within HTTP_REQUEST, everything works as designed. What's supposed to happen is - a new tab pops up and immediately closes, resulting in the PDF being downloaded.

 

Without this code, the problem is that it results in people downloading PDFs without being logged in if they come from a search engine such as Google after performing a Google search for PDFs that were indexed on our websites. The expected behavior when a user tries to download a PDF via a Google search, they're redirected back to the homepage of the domain that was requested.

 

site:ourwebsite.com filetype:pdf

 

I've tried changing HTTP::respond 302 "Location" to HTTP::redirect, however that results in a "This page could not be displayed"

 

Any ideas why a tab would pop up, and not disappear, confusing the user because they don't know their download link is on the previous tab?

 

when RULE_INIT {
   set static::expires [clock scan 20110926]
}
when HTTP_RESPONSE {
   HTTP::header insert "Strict-Transport-Security" "max-age=15552000; includeSubDomains"
}
when HTTP_REQUEST {
    set refer_host [string tolower [URI::host [HTTP::header Referer]]]
    if { ( [class match [HTTP::path] ends_with referer_check_filetypes] ) and 
        ( not [class match $refer_host contains referer_allowed_hosts] ) } {
       log local0. "[IP::client_addr]:[TCP::client_port]: hotlink detected from Referer: $refer_host for [HTTP::host][HTTP::uri]"
      HTTP::respond 302 "Location" "http://[HTTP::host]" Cache-Control No-Cache Pragma No-Cache
    }    
    if {([string tolower [HTTP::host]] starts_with "www.")} {
        HTTP::redirect "https://[string range [HTTP::host] 4 end][HTTP::uri]"
        return
    } elseif { [TCP::local_port] == 80 } {
        HTTP::redirect https://[HTTP::host][HTTP::uri]
        return
    }
}
  • Could you add a little more logging to the iRule to grab the path, referer and then in each of the flows just to track how the request is being handled? That may give a better picture of what's going on.

    when RULE_INIT {
       set static::expires [clock scan 20110926]
    }
    when HTTP_RESPONSE {
       HTTP::header insert "Strict-Transport-Security" "max-age=15552000; includeSubDomains"
    }
    when HTTP_REQUEST {
        set refer_host [string tolower [URI::host [HTTP::header Referer]]]        
        log local0. ""
        log local0. "Path: '[HTTP::path'"
        log local0. "  Referer Host: '$refer_host'"
        log local0. "  EndsWith referer_check_filetypes: [class match [HTTP::path] ends_with referer_check_filetypes]"
        log local0. "  Contains referer_allowed_hosts: [class match $refer_host contains referer_allowed_hosts]"
    
        if { ( [class match [HTTP::path] ends_with referer_check_filetypes] ) and 
            ( not [class match $refer_host contains referer_allowed_hosts] ) } {
           log local0. "[IP::client_addr]:[TCP::client_port]: hotlink detected from Referer: $refer_host for [HTTP::host][HTTP::uri]"
          log local0. "  Redirect user to home page (http://[HTTP::host])"
          HTTP::respond 302 "Location" "http://[HTTP::host]" Cache-Control No-Cache Pragma No-Cache
          return
        }
        if {([string tolower [HTTP::host]] starts_with "www.")} {
            log local0. "  Host contains WWW. Redirect to 'https://[string range [HTTP::host] 4 end][HTTP::uri]'"
            HTTP::redirect "https://[string range [HTTP::host] 4 end][HTTP::uri]"
            return
        } elseif { [TCP::local_port] == 80 } {
            log local0. "  Local port is 80. Redirect to HTTPS (https://[HTTP::host][HTTP::uri])"
            HTTP::redirect https://[HTTP::host][HTTP::uri]
            return
        }
    }
    
  • I've commented out the line that is supposed to log referer_check_filetypes, and I'm seeing that the code is doing what it's supposed to - when someone requests a PDF and they're not from an allowed referrer host, it redirects them back to the homepage.

     

    Rule /Common/irule-test : Host contains WWW. Redirect to 'https://sitename.com/'
    Wed May 20 06:42:16 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Contains referer_allowed_hosts: 0
    Wed May 20 06:42:16 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Referer Host: ''
    Wed May 20 06:42:16 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Path: '/'
    Wed May 20 06:42:16 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test :
    Wed May 20 06:41:51 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : Redirect user to home page (http://sitename.com)
    Wed May 20 06:41:51 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : Contains referer_allowed_hosts: 0
    Wed May 20 06:41:51 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : Referer Host: 'www.google.com'
    Wed May 20 06:41:51 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : Path: '/~/media/75CE5AEA5A85436BA819B26CF4CCA849.pdf'
  • OK - after doing a test I think I see why the additional tab is opening the site's homepage, and staying open. There doesn't seem to be a valid referrer host, it thinks the referrer is blank.

    User goes to the whitepaper page, login, 2nd tab opened, first tab contains download link. 2nd tab contains homepage only. This 2nd tab is supposed to open and prompt user for PDF download, then disappear.

    Rule /Common/irule-test : Contains referer_allowed_hosts: 0
    Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : EndsWith referer_check_filetypes: 0
    Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Referer Host: ''
    Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Path: '/Home.aspx'
    Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test :
    Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Contains referer_allowed_hosts: 0
    Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : EndsWith referer_check_filetypes: 0
    Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Referer Host: ''
    Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Path: '/'
    Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test :
    Wed May 20 10:00:49 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : Local port is 80. Redirect to HTTPS (https://sitename.com/)
    Wed May 20 10:00:49 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : Contains referer_allowed_hosts: 0
    Wed May 20 10:00:49 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : EndsWith referer_check_filetypes: 0
    Wed May 20 10:00:49 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : Referer Host: ''
    Wed May 20 10:00:49 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : Path: '/'
    Wed May 20 10:00:49 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test :
    Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Redirect user to home page (http://sitename.com)
    Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Contains referer_allowed_hosts: 0
    Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : EndsWith referer_check_filetypes: 1
    Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Referer Host: ''
    Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Path: '/~/media/CE0AD0D9B8FC48A5B247FC102D6A27A0.pdf'
    Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test :
    Wed May 20 10:00:48 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Contains referer_allowed_hosts: 1
    Wed May 20 10:00:48 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : EndsWith referer_check_filetypes: 0
    Wed May 20 10:00:48 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Referer Host: 'sitename.com'
    Wed May 20 10:00:48 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Path: '/whitepapers/2015/05/page-path/asset.aspx'
    Wed May 20 10:00:48 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test :
    Wed May 20 10:00:47 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Contains referer_allowed_hosts: 1
    Wed May 20 10:00:47 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : EndsWith referer_check_filetypes: 0
    Wed May 20 10:00:47 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Referer Host: 'sitename.com'
    Wed May 20 10:00:47 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Path: '/login/login.aspx'
    Wed May 20 10:00:47 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test :
    Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Contains referer_allowed_hosts: 1
    Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : EndsWith referer_check_filetypes: 0
    Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Referer Host: 'sitename.com'
    Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Path: '/design/fonts/314569/F77AE15C55FAFC3C5.css'
    Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test :
    Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Contains referer_allowed_hosts: 0
    Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : EndsWith referer_check_filetypes: 0
    Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Referer Host: ''
    Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Path: '/login/login.aspx'
    Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test :
    Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Contains referer_allowed_hosts: 0
    Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : EndsWith referer_check_filetypes: 0
    Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Referer Host: ''
    Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Path: '/whitepapers/2015/05/page-path/asset.aspx'
    Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test :
    Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Contains referer_allowed_hosts: 0
    Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : EndsWith referer_check_filetypes: 0
    Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Referer Host: ''
    Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Path: '/whitepapers/2015/05/page.aspx'
    Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test :
    Wed May 20 10:00:39 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : Local port is 80. Redirect to HTTPS (https://sitename.com/whitepapers/2015/05/page.aspx)
    Wed May 20 10:00:39 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : Contains referer_allowed_hosts: 0
    Wed May 20 10:00:39 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : EndsWith referer_check_filetypes: 0
    Wed May 20 10:00:39 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : Referer Host: ''
    Wed May 20 10:00:39 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : Path: '/whitepapers/2015/05/page.aspx'
    Wed May 20 10:00:39 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test :
    

    Download PDF only

    Rule /Common/irule-test : Contains referer_allowed_hosts: 1
    Wed May 20 10:03:58 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : EndsWith referer_check_filetypes: 1
    Wed May 20 10:03:58 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Referer Host: 'sitename.com'
    Wed May 20 10:03:58 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Path: '/~/media/3397BD0B717641088CD7BEB65879A87C.pdf'
    Wed May 20 10:03:58 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test :
    
    • Michael_Jenkins's avatar
      Michael_Jenkins
      Icon for Cirrostratus rankCirrostratus
      How is the page being opened for the pdf download? Javascript, or by user clicking on it?
    • Joe_Pipitone's avatar
      Joe_Pipitone
      Icon for Nimbostratus rankNimbostratus
      When a user goes to the page, they are forced to login. Once they've logged in, the PDF automatically starts the download - javascript window.open function is used.
  • sfuerst_116779's avatar
    sfuerst_116779
    Historic F5 Account

    You are missing a "return;" after the call to HTTP::respond at the end of the first if block.

     

    After responding, HTTP can't respond or redirect again as every request can only have one response... so the later HTTP::redirect calls will trigger an error.

     

  • Thank you all for your help. I've corrected the iRule with the missing return statement, and we will test further. For now, we've come up with a temporary workaround while we figure out a more permanent solution as far as supporting IE.