Forum Discussion

insomniak_11745's avatar
insomniak_11745
Icon for Nimbostratus rankNimbostratus
Aug 19, 2013

Restrict Access via HTTP referer

I'm attempting to restrict access to an application via HTTP REFERER. Using the example given by the dev team, I'm using something that looks like this: when HTTP_REQUEST { switch -glob [HTTP::...
application delivery
devops
iRules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Aug 19, 2013

Give this a shot:

when RULE_INIT {
     user-defined: enable/disable debug (1/0)
    set static::ref_debug 1
}
when HTTP_REQUEST {
    if { not ( [HTTP::uri] equals "/favicon.ico" ) } {
        if { $static::ref_debug } { log local0. "Incoming referer: [HTTP::header Referer]" }
        switch -glob [string tolower [HTTP::header Referer]] {
            "http://*.mydomain.com*" {
                if { $static::ref_debug } { log local0. "From allowed referrer - allow" }
                return
            } 
            "http://*.example.com*" {
                if { $static::ref_debug } { log local0. "local domain - allow" }
                return
            }
            default {
                if { $static::ref_debug } { log local0. "from disallowed referer - redirect" }
                HTTP::redirect [HTTP::header Referer]
            }
        }
    }
}

I threw the favicon.ico check in there as it never seemed to carry a Referer header and was getting redirected unnecessarily. The trick here is that you have to catch and accept the Referer headers from both the remote site and the local site.