Forum Discussion
NimbostratusRestrict users from browsing directly to VIP.
Hello,
Is it possible to implement an iRule that will restrict access when browsing directly to the virtual server's IP address? For example, when a user browses to http://1.1.1.1 the traffic is dropped; however, browsing to the domain name is acceptable (ie http://mywebsite.com).
4 Replies
HamishCirrocumulus
It's not foolproof, but you can check the host: header. A browser will by default put in there whatever was type din the URL for the host. So if they type http://1.1.1.1/ the host header will have host: 1.1.1.1if { [HTTP::host] ne "mysite.domain.com" } { drop }
Or do whatever you like (e.g. redirect somewhere else 🙂- HamishOh. host: headers aren't mandatory for HTTP/1.0 so this might break some valid clients... (Although I don't know of any browsers that don't insert it).
ArieAltostratus
You could also check to see if the user used the VIP's IP-address as the host and then drop:
if { [HTTP::host] equals [IP::local_addr] } { drop }That way you can use the same iRule (snippet) on any VIP without worrying about specific allowed hostnames.
- JRahm
Admin
Absolutely supportable in iRules, but there is more functionality with redirects moving into policy actions in the GUI (or via tmsh) For Hamish's solution, it would look like this:
ltm policy http.redirects { controls { forwarding } requires { http } rules { require_fqdn { actions { 0 { forward reset } } conditions { 0 { http-host host not values { my.domain.com } } } ordinal 1 } } strategy all-match }Yes, more lines, and doesn't look pretty on the CLI, but multiple redirect rules can be added per policy and managed completely in the system versus requiring coding skills for shops that are leery about coding at the network layer.
