For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

insomniak_11745's avatar
insomniak_11745
Icon for Nimbostratus rankNimbostratus
Aug 19, 2013

Restrict Access via HTTP referer

I'm attempting to restrict access to an application via HTTP REFERER. Using the example given by the dev team, I'm using something that looks like this: when HTTP_REQUEST { switch -glob [HTTP::...
application delivery
devops
iRules
insomniak_11745's avatar
insomniak_11745
Icon for Nimbostratus rankNimbostratus
Aug 19, 2013

@hoolio - Yes, thank you for pointing this out. This is actually an issue with this particular implementation as we are going from https --> http. I'm looking into configuring the application (Etherpad) to use https instead of http.

 

@Kevin - I understand the concern with spoofing HTTP headers, however this particular implementation is not to address any security concerns. Rather, it's more of a forceful "training" of the end users to use the URL included in the application rather than accessing it directly.

 

Thank you everyone for your quick help!

 

Sadorect_151355's avatar
Sadorect_151355
Icon for Nimbostratus rankNimbostratus
Oct 21, 2016

This is exactly what I am trying to achieve with my application too. According to the config below:

when HTTP_REQUEST { 

switch -glob [HTTP::header "Referer"] {
    "http://click.bank.com/dashboard.php" {
       Allow Request to go through...

    if { [string tolower [HTTP::uri]] ends_with "/eod" }  {
        pool BankAppPool member 10.10.1.51 8888
        log local0. "Requested path - admin sent to App1"
         log local0. "clientIP:[IP::client_addr] accessed [HTTP::host][HTTP::uri]"
        HTTP::redirect "/forms/frmservlet?config=ref&serveruserparams=NLS_LANG=AMERICAN_AMERICA.AR8MSWIN1256&otherparams=P_WST_LAN_IND=1+P_BANKS_APP_URL=http://10.10.1.51:9001/banks"
    HTTP::redirect "http://10.10.1.51:9001/forms/frmservlet?config=ref&serveruserparams=NLS_LANG=AMERICAN_AMERICA.AR8MSWIN1256&otherparams=P_WST_LAN_IND=1+P_BANKS_APP_URL=http://10.10.1.51:9001/banks"

    } elseif { [string tolower [HTTP::uri]] ends_with "/" }{
    log local0. "Requested path - distribute Round robin"

        HTTP::redirect "http://pam.bank.com:9001/forms/frmservlet?config=ref&serveruserparams=NLS_LANG=AMERICAN_AMERICA.AR8MSWIN1256&otherparams=P_WST_LAN_IND=1+P_BANKS_APP_URL=http://10.10.1.57:9001/banks"
    log local0. &8220;Requested path - banks" 
        }

    }
    "" {

HTTP::redirect "http://click.bank.com/index.php?resp_id=MLG"

    }
    default {
      HTTP::redirect "http://click.bank.com/index.php?resp_id=MLG"
      [HTTP::header "Referer"]
    }
  }

}

The redirect is working very fine as defined but the application accepting the request for valid navigation fails to load. It just hangs indefinitely. It works fine without the referrer-based redirect but, once the referrer check is introduced, it doesn't load. Is there something I'm missing in the iRule definition?