Forum Discussion

Bastien_8356's avatar
Icon for Nimbostratus rankNimbostratus
Jun 07, 2011

iRule to block user coming from 1 URL

Hi there,



I'd like to block any http request to any user coming from a particular website.



It's going on a web server that is behind the F5 and already have a public IP address. It's not a node though, not load balanced nor behind a VIP.



I came up with this:






if { ([HTTP::header "Referer"] eq "http://blahblah/") }


{ drop







Then I tried creating a VIP with the same public IP address and with the iRule, but the apache stop responding.


edit: I forgot to create associate it with a pool with this single node, that's how I have to do it ?




Can you help me please ? Many thanks.


9 Replies

  • Hi Bastien,

    That looks right if you wanted to drop all requests coming into the virtual server with a Referer header of http://blahblah/. Can you test this on a test virtual server and add logging to see what was happening?

    when HTTP_REQUEST {
       if { ([HTTP::header "Referer"] eq "http://blahblah/") } {
          log local0. "[IP::client_addr]:[TCP::client_port]: Dropping [HTTP::method] to [HTTP::host][HTTP::uri] with Referer [HTTP::header Referer]"
       } else {
          log local0. "[IP::client_addr]:[TCP::client_port]: Allowing [HTTP::method] to [HTTP::host][HTTP::uri] with Referer [HTTP::header Referer]"

  • Hey hoolio, thx I'll give a try, but I didn't succeed in creating a VIP with my webserver as the only node. It's stop responding.


    This webserver has 2 public IP, one for https, one for http (that's the one i'm interested in).



    So I created a VIP with this same IP, profile http, I created a pool with this server. As soon I created the VIP, it stops working :(
  • When you say:



    So I created a VIP with this same IP



    The Virtual Server does not have the same IP Address that belongs to the server does it?
  • That's what I did, probably why it didn't work ?



    I can't change the public IP as it's on the DNS.



    I would need to use this public IP as the VIP, and change the ip of the server for a private one (and also update my apache config) correct ?
  • If your DNS is pointed to that IP Address, then you could change ownership of the IP Address.



    Assign the IP Address to the BIG-IP and assign a different IP Address on the server. That way the traffic will flow through the Load Balancer and then to the server (after whatever manipulation you want to do with your iRules.



    You cannot have the same IP Address on two devices, it creates an IP Address Conflict.



    DNS -> F5 Virtual Server -> Pool (containing your server IP Address and Port).



  • I got you, thx ! I can't do this now but I'll up this thread if I have issue with the iRule !
  • Hello ,

    Is there another function that can drop the request and stop going through the other IRules?












  • Colin_Walker_12's avatar
    Historic F5 Account
    If you want to both drop the request and stop all iRules, try:

    event disable all

  • Hi TRX,



    I replied to your other post here:



    [iRules - v4.x]: RE: How do I detect a web dav request?




    If you're asking about v9 or v10 iRules, you might want to post in this forum instead to get more relevant views of your post.