Forum Discussion
Joe_Pipitone
Nimbostratus
NimbostratusiRule - HTTP::is_redirect failing
We have used this iRule for many years to block PDFs from being accessed directly, unless a user logs in and comes from an allowed domain.
After upgrading from 10.2.4 to 11.2.1 and then to 11.6, the iRule fails to work and complains in the ltm log:
TCL error: /Common/block-pdf-searches - Operation not supported (line 1) invoked from within "HTTP::is_redirect"
I've done some testing and I've confirmed that I'm able to do a simple log local0. if the http response is HTTP::is_redirect, so it seems like the syntax is supported.
Can anyone find what may be wrong here?
when RULE_INIT {
0=disable checking paths
1=check referer if requested URL is in "referer_check_paths" (default allow)
2=check referer if requested URL is NOT in "referer_check_paths" (default deny)
set ::setting_check_paths 0
0=exact match for path check
1=starts_with match of path check
set ::setting_path_check_starts_with 0
0=disable filetype checking
1=enable filetype checking
set ::setting_check_filetypes 1
Set appropriate URL to send the user to
set static::error_url {https://[HTTP::host]}
END OF CONFIGURABLE PARAMETERS
if { $::setting_path_check_starts_with == 1 } {
set ::match_with "starts_with"
return
}
set ::match_with "equals"
}
when HTTP_REQUEST {
set error 0
if { $error == 0 && $::setting_check_filetypes == 1 &&
[matchclass [HTTP::path] ends_with referer_check_filetypes] } {
set error 1
}
if { $error == 0 && $::setting_check_paths == 1 &&
[matchclass [HTTP::path] $::match_with referer_check_paths] } {
set error 1
}
if { $error == 0 && $::setting_check_paths == 2 &&
( not [matchclass [HTTP::path] $::match_with referer_check_paths] ) } {
set error 1
}
if { $error == 0 } {
return
}
set refer_host [string tolower [URI::host [HTTP::header Referer]]]
if { $refer_host == "" || [matchclass $refer_host contains referer_allowed_hosts] } {
return
}
set info " NOTICE: Entry point bypass detected from host: $refer_host"
append info " client { [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] }"
append info " ethernet { [string range [LINK::lasthop] 0 16] -> [string range [LINK::nexthop] 0 16] tag [LINK::vlan_id] qos [LINK::qos] }"
append info " - [HTTP::version] - REDIR [HTTP::is_redirect], Content-Length [HTTP::header Content-Length], Transfer-Encoding [HTTP::header Transfer-Encoding]"
append info " *TCP MSS([TCP::mss]) BW([TCP::bandwidth]) RTT([TCP::rtt]) OFFSET([TCP::offset])"
append info " *IP TOS [IP::tos], HOPS [IP::hops], TTL [IP::ttl]"
append info " *HTTP HOST [HTTP::host], KEEPALIVE [HTTP::is_keepalive], REQ_NUM [HTTP::request_num]"
log local0. $info
Set cache control headers on the redirect to prevent proxies from caching the response.
HTTP::respond 302 Location [subst $static::error_url] Cache-Control No-Cache Pragma No-Cache
}
Joe_PipitoneI've removed " - REDIR [HTTP::is_redirect]" however the redirection back to the website's home page does not occur - it allows the user to download the PDFs.
Maria_63394Did you try "HTTP::header is_redirect" instead of "HTTP::is_redirect" (https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15896.html)?
- Joe_PipitoneI've tried HTTP::header is_redirect - the error goes away. I'm still not seeing a redirect back to the homepage. I've also tried uncommenting log local0. $info, and nothing gets logged. I've even tried logging a string such as "hello" and that doesn't get logged either. It's almost as if that bottom part of the iRule is being ignored.
nitass_89166Noctilucent
the redirection back to the website's home page does not occur - it allows the user to download the PDFs.
does request come with referer header? if it does not exist or null, it will be allowed (to download pdf), won't it?
if { $refer_host == "" || [matchclass $refer_host contains referer_allowed_hosts] } { return }by the way, since you are running 11.6.0, you should replace global variable and matchclass with static global variable and class command.
static
https://devcentral.f5.com/wiki/iRules.static.ashxclass
https://devcentral.f5.com/wiki/iRules.class.ashx- Joe_PipitoneThis used to work in the past, and very well. The request comes with referrer header - basically if a user logs into our website, and the request comes from a list of allowed domains, then they're able to download the PDF. We put this iRule in place to prevent PDF's that were previously indexed on Google from being downloaded directly from Google search results, so the referrer in that case was google.com, which was not on our list of allowed hosts. Thanks for your suggestions - I'll take a look at those articles. If you are able to help me in the meantime, I'd appreciate it.
nitassEmployee
the redirection back to the website's home page does not occur - it allows the user to download the PDFs.
does request come with referer header? if it does not exist or null, it will be allowed (to download pdf), won't it?
if { $refer_host == "" || [matchclass $refer_host contains referer_allowed_hosts] } { return }by the way, since you are running 11.6.0, you should replace global variable and matchclass with static global variable and class command.
static
https://devcentral.f5.com/wiki/iRules.static.ashxclass
https://devcentral.f5.com/wiki/iRules.class.ashx- Joe_PipitoneThis used to work in the past, and very well. The request comes with referrer header - basically if a user logs into our website, and the request comes from a list of allowed domains, then they're able to download the PDF. We put this iRule in place to prevent PDF's that were previously indexed on Google from being downloaded directly from Google search results, so the referrer in that case was google.com, which was not on our list of allowed hosts. Thanks for your suggestions - I'll take a look at those articles. If you are able to help me in the meantime, I'd appreciate it.
- Joe_Pipitone
I found this article on codeshare - it seems to be working. Just need to find tune it a bit, but so far testing is working great.
https://devcentral.f5.com/codeshare?sid=455