Forum Discussion

alinayesina_102's avatar
alinayesina_102
Icon for Nimbostratus rankNimbostratus
Mar 13, 2009

Responce URI Masking/Hiding

We would like to consult on the possibility of performing a URL rewrite with the use of an iRule for domain.com. it’s not a good practice for our homepage to show as http://www.domain.com/home/default.htm, the ideal way is to only show www.domain.com which is good for search engine crawlers and improves our search rankings.

 

 

Would something like this work?

 

 

when HTTP_RESPONSE {

 

if { [HTTP::status] starts_with "3" } {

 

set origRedir [HTTP::header Location]

 

set newRedir [string map {"/home/default.htm" "" } [HTTP::header Location]]

 

HTTP::header replace Location $newRedir

 

log local0. "Original redirect: $origRedir."

 

log local0. "Rewritten redirect $newRedir"

 

}

 

}
  • Hi Gregg,

    Why are you trying to hide the path? Is it for security purposes? Or some other reason?

    1 isn't really possible. A normal session flow for HTTP would be a client makes a request to /. The web application sends back an HTML response with links in it. If the client clicks on a link, the browser address bar is updated to the new location and the browser makes a request to the web application with the new location set in the request line. You could create a one to one mapping of the URI a client requests to a backend URI, but you cannot say that you want to have the client make a request to /home but have an iRule dynamically rewrite the URI to different paths.

    2 is possible to try, but it's easily bypassed. You could use an iRule to check if the path starts with /home and allow access to the pool and for all other requests, redirect the client. However, if a client made a request to /home/../other_directory/ it would pass the iRule logic and be processed as /other_directory/ by the web server.

     
     when HTTP_REQUEST { 
      
         Check if requested path doesn't start with /home 
        if {not ([HTTP::path] starts_with "/home")}{ 
      
            Redirect the client to /home 
           HTTP::redirect "http://[HTTP::host]/home" 
      
            OR 
      
            Respond with an access denied message 
           HTTP::respond 403 content {some html explaining the response} 
        } 
     } 
     

    Aaron
  • Hmmm. I replied to this days ago, but my reply does not appear to have posted. Oh well, another puzzle for the noob. Thanks again for your response, Aaron.

     

     

    Security is the primary concern, and in that context the less info sent to the user the better. 1 isn't really a requirement, it is more of a goal. I would prefer to hide the paths so the visitor sees "/home" as "/", but there is no value in my hiding /home if its subdirectories are going to 'uncloak' it any way.

     

     

    If I am going to leave the path visible, the 2 is all the more relevent. I need to pin the visitors within /home and the code you provided above appears to be on track, but you say that it is easily bypassed. I basically understand the iRule, but would you mind explaining further how someone would bypass it??
  • I think Aaron means that a user could simply type the full path with the ".." which would track back up the directory tree and get into those other directories, because the iRule would only fire if /home wasn't in the request. Of course they would have to know to try that, but forced browsing is a popular attack method.

     

     

    FWIW, the ASM module can restrict traffic flow to the paths you specify which would take care of your 2.

     

     

    Denny
  • Denny, Thanks for the suggestion. I will look into the ASM. In the meantime, much thanks to both you and Aaron. This gives me a reasonably good start.

     

     

    -Gregg