iRule to hide internal URL from users

Question

the thing i'm trying to accomplish is that once an external user gets to their /pages/morepages/sales.aspx page, they cannot go up to a higher level in the domain... I'm not sure what the best way to do this is... I have the ASM module so I'm guessing I'll need some form of filter. I also wouldn't mind hiding the URI from the user, so all they see is external.domain.com wherever they go... anyway, i'm sure this is a topic for another forum..

so first and foremost, i'm having trouble getting the 1st piece taken care of... with an iRule to get the redirect and/or rewrite to take place... i'm a noob and this is my 1st post. i'm on v11, APM & ASM and am going to a training class next week, just trying to get some tasks accomplished prior...

i'm guessing i'll need a redirect or host replacement for incoming traffic, and then some kind of rewrite on the response to the client because internal.domain.com is not in public dns? I'm hoping the rewrite will take care of relative URLs?...

thanks...

hooleylist · Answer

Hi, 
&nbsp;  
&nbsp; Are you trying to restrict access for security reasons or to mask the internal hostname?  If the latter, you can use the ProxyPass iRule to present an external hostname (and/or URI) and use an internal hostname (and/or URI) for the pool. 
&nbsp;  
&nbsp; http://devcentral.f5.com/wiki/iRules.proxypassv10.ashx 
&nbsp;  
&nbsp; Aaron

gh0std0g_79292 · Answer

Yes, we have to restrict access for security reasons... So external users should only be able to get to URIs below their 'sales' page: 
&nbsp; /pages/morepages/sales.aspx 
&nbsp;  
&nbsp; But i would prefer not to publish the internal hostname and/or URI to the public. &nbsp;

hooleylist · Answer

Sorry I missed your reply here.  It's not really feasible (read: effective and efficient) to use iRules to do directory restrictions for IIS, due to the number of ways that IIS accepts URIs.  See this post for examples of why: 
&nbsp;  
&nbsp; https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/30900/showtab/groupforums/Default.aspx31324 
&nbsp;  
&nbsp; The ProxyPass iRule will allow you to proxy requests to an internal URL and path, but won't restrict who can request which URIs. 
&nbsp;  
&nbsp; Aaron

hooleylist · Answer

And I forgot to mention, ASM is an effective way to enforce path restrictions.  ASM is able to normalize the different encoding methods a malicious user could try to bypass restrictions with.  It should be fairly straightforward to do this within ASM.  Note that if you use ProxyPass on an ASM virtual server, the hostnames and/or URIs ASM gets will have already been rewritten by ProxyPass. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

iRule to hide internal URL from users

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

Communication between DMZ & Internal devices

vip call another vip with internal ip

VPN SSL Users migration

F5 LTM SNAT: only 1 outgoing connection, multiple internal clients

Getting started with a script to delete user APM session(s)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS