For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

fahmy_28867's avatar
fahmy_28867
Icon for Nimbostratus rankNimbostratus
Sep 15, 2010

irule needed depend on URL not site ip

i have virtual server https load on http pool i need to create irule to accept the header if requet only with URL of the https site and deny any the request if it requested via the website ip .Any one can help me on this .Thanks in advance
application delivery
dev
devops
iRules

7 Replies

  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Sep 15, 2010
    Hi Fahmy,

     

    If I understand your question you want to basically only allow requests to make it through if they use domain name but deny those that use the IP addresses.

     

     

    This code might help. Assuming that you created a white list datagroup.

     

     

    

when HTTP_REQUEST {
  if hosts header does not match the whitelist then drop the request
 if { ![matchclass [HTTP::header "Host"] eq $::hostswhitelist] } { 
      drop
    }
}

     

     

    I hope this helps

     

     

    Bhattman

     

     

     

     

  • fahmy_28867's avatar
    fahmy_28867
    Icon for Nimbostratus rankNimbostratus
    Sep 15, 2010
    thanks Bhattman for your reply ,i'v a very short experience with irule so i need to ask about the white list data group how can i create it ,Is the white list include my URL ? say the url https://www.test.com/webaccess\ what is the change in the scripte attached?thanks for your patient .I will use your script as it is .

     

    Thanks in advance
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Sep 16, 2010
    
when HTTP_REQUEST {
if { !([string tolower [HTTP::host]] eq "www.test.com") } {
discard } }

    This rule will only allow traffic destined for the host "www.test.com" and will discard (silently drop) anything else.
  • fahmy_28867's avatar
    fahmy_28867
    Icon for Nimbostratus rankNimbostratus
    Sep 16, 2010
    Hi Chris ,

     

    when HTTP_REQUEST {

     

    if { !([string tolower [HTTP::host]] eq "www.test.com.eg") } {

     

    discard } }

     

    if this string mean that if request come to www.test.com.eg or any sublink for this url like www.test.com.com/stuff will allow to this host and anything else will be dropped ,like request with ip , and I don’t need to write full URL https://www.test.com.eg

     

    Please advice

     

  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Sep 16, 2010
    Posted By fahmy on 09/16/2010 12:50 AM

     

    Hi Chris ,

     

    when HTTP_REQUEST {

     

    if { !([string tolower [HTTP::host]] eq "www.test.com.eg") } {

     

    discard } }

     

    if this string mean that if request come to www.test.com.eg or any sublink for this url like www.test.com.com/stuff will allow to this host and anything else will be dropped ,like request with ip , and I don’t need to write full URL https://www.test.com.eg

     

    Please advice

     

     

     

    Correct
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Sep 20, 2010
    If you just want to drop requests made by IP address, you could do a simple test for any alpha character instead of a specific white list. This would be less specific but more efficient than checking a datagroup for every request.

    Here's an untested example: 

    
when HTTP_REQUEST {

   if { not [string match {*[a-zA-Z]*} [HTTP::header host]] }{
      discard
   }
}

    Aaron