Forum Discussion

vishu_chavan's avatar
vishu_chavan
Icon for Altocumulus rankAltocumulus
Aug 28, 2023
Solved

Restricting access to a virtual server by Public IP address should access through only domain name.

 

 

We had Published  website on F5 with Domain name ,now created domain is aviable in public ,but publish website is also accessible  with ip address in public domain.( we have created server pool )

Website must be only accessible through Domain name only . 

We tried to created iRule for same Domain but its given error to assign HTTP profile .

We tried to applied HTTP profile to domain but domain virtual server pool go down and domain is unaviable .

we are using F5 current version is 11.5.8 

Kindly suggest work around for version 11.5.8

i am new to F5  

 

 

 

 

security

11 Replies

Sort By
  • F5-Enthusiast's avatar
    F5-Enthusiast
    Icon for Altocumulus rankAltocumulus
    Aug 28, 2023

    Hello,

    please note first, that version 11.5.8 is out of any supprt and service from April 8, 2019 as you can see in BIG-IP software support policy (f5.com)

    For your problem, solution via iRule is a viable. also you could utilize LTM Policies.
    But as you describe you can't add the iRule (which is based on HTTP Events) because you do not have any HTTP Profile on Virtual Server.
    This Profile is required to validate or manipulate data on HTTP Layer.

    And as you described you also have application issues if you apply an HTTP Profile it seems that the Application is protected by SSL / TLS. In this case you would also need an Client SSL / Server SSL profile

    So the F5 will be able to decrypt and encrypt the connection and after that apply the http profile to make your iRule work.

    But most important: Get an updated F5. This software Version is old and has maaaaaany Security and operating flaws

    Regards

     

     

    • vishu_chavan's avatar
      vishu_chavan
      Icon for Altocumulus rankAltocumulus
      Aug 28, 2023

      Thanks for reply

      yes we knew F5 is running on old version and it is out of date .new F5 is in process as it will take time .

      Can you please, Guide me how to apply   SSL / TLS for virtual server .

      Thanks in advance . 

    • vishu_chavan's avatar
      vishu_chavan
      Icon for Altocumulus rankAltocumulus
      Aug 28, 2023

      Hi  F5-Enthusiast 

      Thanks for your reply .Tried your solutions 

      I applied  Client SSL / Server SSL profile & HTTP profile on website and added iRule for website 

      iRule script below 

      when HTTP_REQUEST {
      switch [string tolower [HTTP::host]] {
      "www.domian.com"
      {
      return
      }
      default {
      reject
      }
      }
      }

      All Setting Successfully applied .Now i can access website with only domain name ,BUT while accessing website with domain its show my ssl certificate is expired .Treid to view same certificate it show some IT or local certificate .

      As earier my website ssl certificate is  secure and working.

      Kindly suggest for same .

      Thanks in advance.

  • Mohamed_Ahmed_Kansoh's avatar
    Mohamed_Ahmed_Kansoh
    Icon for MVP rankMVP
    Aug 28, 2023

    Hi vishu_chavan , 

    Could you please send the irule script that you use now. 

    > it's mandatory to assign http profile for this irule. 
    > although you have a non supported version and you need to upgrade , but try the below irule script : 

    when HTTP_REQUEST {
	    if { ([HTTP::host] != "www.example.com") } {
	       reject
	    }
	}

    > Replace "www.example.com" by your correct FQDN. 
    and let me know the results 

  • Snl's avatar
    Snl
    Icon for Cirrostratus rankCirrostratus
    Aug 28, 2023

     

    you can try below irule as well 

replace x.x.x.x with your ip address

when HTTP_REQUEST {
If { !([HTTP::host] equals "x.x.x.x") } {
Reject
}
}