Forum Discussion
vishu_chavan
Altocumulus
AltocumulusRestricting access to a virtual server by Public IP address should access through only domain name.
We had Published website on F5 with Domain name ,now created domain is aviable in public ,but publish website is also accessible with ip address in public domain.( we have created server pool...
seems you have not used your Domain certificate under client ssl profile , check thebelow link to upload your CA domain certificate and key to bigip and followed to that you need to create client ssl profile point to your Domain certificate/key and any chain certificate.
https://my.f5.com/manage/s/article/K14620#3
once done you check your domain for any ssl issue by running test in below link
https://www.sslshopper.com/ssl-checker.html
F5-EnthusiastAltocumulus
AltocumulusHello,
please note first, that version 11.5.8 is out of any supprt and service from April 8, 2019 as you can see in BIG-IP software support policy (f5.com)
For your problem, solution via iRule is a viable. also you could utilize LTM Policies.
But as you describe you can't add the iRule (which is based on HTTP Events) because you do not have any HTTP Profile on Virtual Server.
This Profile is required to validate or manipulate data on HTTP Layer.
And as you described you also have application issues if you apply an HTTP Profile it seems that the Application is protected by SSL / TLS. In this case you would also need an Client SSL / Server SSL profile
So the F5 will be able to decrypt and encrypt the connection and after that apply the http profile to make your iRule work.
But most important: Get an updated F5. This software Version is old and has maaaaaany Security and operating flaws
Regards
vishu_chavanAltocumulus
AltocumulusThanks for your reply .Tried your solutions
I applied Client SSL / Server SSL profile & HTTP profile on website and added iRule for website
iRule script below
when HTTP_REQUEST {
switch [string tolower [HTTP::host]] {
"www.domian.com"
{
return
}
default {
reject
}
}
}
All Setting Successfully applied .Now i can access website with only domain name ,BUT while accessing website with domain its show my ssl certificate is expired .Treid to view same certificate it show some IT or local certificate .
As earier my website ssl certificate is secure and working.
Kindly suggest for same .
Thanks in advance.
ragunath154Cirrostratus
seems you have not used your Domain certificate under client ssl profile , check thebelow link to upload your CA domain certificate and key to bigip and followed to that you need to create client ssl profile point to your Domain certificate/key and any chain certificate.
https://my.f5.com/manage/s/article/K14620#3
once done you check your domain for any ssl issue by running test in below link
https://www.sslshopper.com/ssl-checker.html
- vishu_chavan
Thanks for adivise .
Now i can access website only through Doamin name but not by Ip address.
All setting sucessfully applied and working .Thanks all
But just i need some information on iRule
As per now i have to create separate iRule for every virual server pool .
Ist possbile to have single iRule which can be applied for all virtual server . bcoz there is Limit of space size for iRule.
my current iRule
when HTTP_REQUEST {
switch [string tolower [HTTP::host]] {
"www.domian.com"
{
return
}
default {
reject
}
}
}- ragunath154
hope you have multiple domains mapped to each virtual and need to restrict to request with domain not IP based with a single irule.
for this you can use the irule with datagroup , where datagroup have list of domains
eg:
when HTTP_REQUEST {
set domain [HTTP::host]if {![class match $domain equals mydomain-DG} {
HTTP::respond 403 "Forbidden"
drop
}
}as per this irule if the request doest match the domain in mydomain-DG datagroup then it will be de dorped. ,
you need to create a datagroup named mydomain-DG and the you domains