problems with data group and http:host
hi,
i have set up a forward http proxy, using the irule provided in Devcentral(current version 3.2), which works quite well. But due to security demands, i need to limit outgoing requests to only approved hosts, which has proved to be a bit more challenging than first anticipated.
what i have done, is to create a data group, containing the approved domains that can be reached, and added the following to the proxy irule:
if { not [matchclass [string tolower [HTTP::host]] ends_with data_group] } { reject } }
so the thought is to only allow domains and subdomains that is in the data group, but we are not getting the results we want. if i change the operator from "ends_with" to "contains", it will work, but that will leave us more open to exploits, as we cannot be sure the request goes to a valid host.
is there something im missing here, as i thought that HTTP::host would be http:// and not inlude anything from the uri.. if there are any suggestions on how to get this to work as intended, it would be much appriciated!