Forum Discussion
Bastien_8356
Nimbostratus
NimbostratusiRule to block user coming from 1 URL
Hi there,
I'd like to block any http request to any user coming from a particular website.
It's going on a web server that is behind the F5 and already have a public IP address. It's not a node though, not load balanced nor behind a VIP.
I came up with this:
when HTTP_REQUEST {
if { ([HTTP::header "Referer"] eq "http://blahblah/") }
{ drop
}
}
Then I tried creating a VIP with the same public IP address and with the iRule, but the apache stop responding.
edit: I forgot to create associate it with a pool with this single node, that's how I have to do it ?
Can you help me please ? Many thanks.
9 Replies
hoolioCirrostratus
Hi Bastien,
That looks right if you wanted to drop all requests coming into the virtual server with a Referer header of http://blahblah/. Can you test this on a test virtual server and add logging to see what was happening?when HTTP_REQUEST { if { ([HTTP::header "Referer"] eq "http://blahblah/") } { log local0. "[IP::client_addr]:[TCP::client_port]: Dropping [HTTP::method] to [HTTP::host][HTTP::uri] with Referer [HTTP::header Referer]" drop } else { log local0. "[IP::client_addr]:[TCP::client_port]: Allowing [HTTP::method] to [HTTP::host][HTTP::uri] with Referer [HTTP::header Referer]" } }
Aaron
Bastien_8356Hey hoolio, thx I'll give a try, but I didn't succeed in creating a VIP with my webserver as the only node. It's stop responding.
This webserver has 2 public IP, one for https, one for http (that's the one i'm interested in).
So I created a VIP with this same IP, profile http, I created a pool with this server. As soon I created the VIP, it stops working :(
Michael_YatesWhen you say:
So I created a VIP with this same IP
The Virtual Server does not have the same IP Address that belongs to the server does it?- Bastien_8356That's what I did, probably why it didn't work ?
I can't change the public IP as it's on the DNS.
I would need to use this public IP as the VIP, and change the ip of the server for a private one (and also update my apache config) correct ? - Michael_YatesIf your DNS is pointed to that IP Address, then you could change ownership of the IP Address.
Assign the IP Address to the BIG-IP and assign a different IP Address on the server. That way the traffic will flow through the Load Balancer and then to the server (after whatever manipulation you want to do with your iRules.
You cannot have the same IP Address on two devices, it creates an IP Address Conflict.
DNS -> F5 Virtual Server -> Pool (containing your server IP Address and Port). - Bastien_8356I got you, thx ! I can't do this now but I'll up this thread if I have issue with the iRule !
- Hello ,
Is there another function that can drop the request and stop going through the other IRules?
Thanks.
Regards,
TRX
- If you want to both drop the request and stop all iRules, try:
drop event disable all
Colin - hoolioHi TRX,
I replied to your other post here:
[iRules - v4.x]: RE: How do I detect a web dav request?
http://devcentral.f5.com/Forums/tabid/53/aff/16/afv/topic/aft/1179140/afc/1250449/Default.aspx
If you're asking about v9 or v10 iRules, you might want to post in this forum instead to get more relevant views of your post.
Aaron
