Forum Discussion
problems with data group and http:host
hi,
i have set up a forward http proxy, using the irule provided in Devcentral(current version 3.2), which works quite well. But due to security demands, i need to limit outgoing requests to only approved hosts, which has proved to be a bit more challenging than first anticipated.
what i have done, is to create a data group, containing the approved domains that can be reached, and added the following to the proxy irule:
if { not [matchclass [string tolower [HTTP::host]] ends_with data_group] } { reject } }
so the thought is to only allow domains and subdomains that is in the data group, but we are not getting the results we want. if i change the operator from "ends_with" to "contains", it will work, but that will leave us more open to exploits, as we cannot be sure the request goes to a valid host.
is there something im missing here, as i thought that HTTP::host would be http:// and not inlude anything from the uri.. if there are any suggestions on how to get this to work as intended, it would be much appriciated!
- Vernon_97235Historic F5 Account
is deprecated in favor of class. Can you try the same, but usingmatchclass
as follows:class
if { [class match [string tolower [HTTP::host]] ends_with data_group] } { reject }
and see if that makes a difference?
- Kai_M__48813Cirrushi.. i have now updated the irule to the following: if { not [class match [string tolower [HTTP::host]] ends_with data_group] } { reject } but this is still not working for requests that also include a subdomain. the request being sent from the server is api..xx/, but this fails. if we open a browser on the server and go straight to https://, it gets through. this indicates that at least some parts of the irule is working, but it fails to send a request through if it is including a subdomain as well...unless im missing something here also, as this is a proxy, it uses 8080.. does this get attached to the host header? if so, it will probably cause issues with "ends_with"
- VernonWellsEmployee
is deprecated in favor of class. Can you try the same, but usingmatchclass
as follows:class
if { [class match [string tolower [HTTP::host]] ends_with data_group] } { reject }
and see if that makes a difference?
- Kai_M__48813Cirrushi.. i have now updated the irule to the following: if { not [class match [string tolower [HTTP::host]] ends_with data_group] } { reject } but this is still not working for requests that also include a subdomain. the request being sent from the server is api..xx/, but this fails. if we open a browser on the server and go straight to https://, it gets through. this indicates that at least some parts of the irule is working, but it fails to send a request through if it is including a subdomain as well...unless im missing something here also, as this is a proxy, it uses 8080.. does this get attached to the host header? if so, it will probably cause issues with "ends_with"
- Vernon_97235Historic F5 Account
Indeed it will. To solve that problem, this should do the trick:
if { [class match [string tolower [getfield [HTTP::host] : 1]] ends_with data_group] } { reject }
- Kai_M__48813Cirrusinitial tests are showing that the irule is now working as intended! the last change made all the difference...after reading up on non standard ports being added to the host, it was a matter of finding a solution for this...if all goes as planned, this will be a lifesaver for me! thanks for the help:)
- VernonWellsEmployee
Indeed it will. To solve that problem, this should do the trick:
if { [class match [string tolower [getfield [HTTP::host] : 1]] ends_with data_group] } { reject }
- Kai_M__48813Cirrusinitial tests are showing that the irule is now working as intended! the last change made all the difference...after reading up on non standard ports being added to the host, it was a matter of finding a solution for this...if all goes as planned, this will be a lifesaver for me! thanks for the help:)
- THiNimbostratus
What does your datagroup look like? You could add a logging line into your iRule to see what the HTTP::host value is and compare with your datagroup value. Are your requests using non standard ports, ie not 80/443? HTTP:host contains the port in those cases, eg example.com:8080, which may confuse the ends_with comparison.
log local0. "HTTP Host is: [HTTP::host]"
Instead of HTTP::host in the you might use URI::host command with HTTP::host as parameter. URI::host does not return the protocol portion of the Host header. Note that URI::host requires a a parameter string from where it parses the host portin. Haven't tested it, though..see iRule wiki on those.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com