For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

vishu_chavan's avatar
vishu_chavan
Icon for Altocumulus rankAltocumulus
Aug 28, 2023
Solved

Restricting access to a virtual server by Public IP address should access through only domain name.

    We had Published  website on F5 with Domain name ,now created domain is aviable in public ,but publish website is also accessible  with ip address in public domain.( we have created server pool...
security
  • ragunath154's avatar
    ragunath154
    Aug 29, 2023

    seems you have not used your Domain certificate under client ssl profile , check thebelow link to upload your CA domain certificate and key to bigip and followed to that you need to create client ssl profile point to your Domain certificate/key and any chain certificate.

    https://my.f5.com/manage/s/article/K14620#3

    once done you check your domain for any ssl issue by running test in below link

    https://www.sslshopper.com/ssl-checker.html

     

vishu_chavan's avatar
vishu_chavan
Icon for Altocumulus rankAltocumulus
Aug 28, 2023

Hi  F5-Enthusiast 

Thanks for your reply .Tried your solutions 

I applied  Client SSL / Server SSL profile & HTTP profile on website and added iRule for website 

iRule script below 

when HTTP_REQUEST {
switch [string tolower [HTTP::host]] {
"www.domian.com"
{
return
}
default {
reject
}
}
}

All Setting Successfully applied .Now i can access website with only domain name ,BUT while accessing website with domain its show my ssl certificate is expired .Treid to view same certificate it show some IT or local certificate .

As earier my website ssl certificate is  secure and working.

Kindly suggest for same .

Thanks in advance.

ragunath154's avatar
ragunath154
Icon for Cirrostratus rankCirrostratus
Aug 29, 2023

seems you have not used your Domain certificate under client ssl profile , check thebelow link to upload your CA domain certificate and key to bigip and followed to that you need to create client ssl profile point to your Domain certificate/key and any chain certificate.

https://my.f5.com/manage/s/article/K14620#3

once done you check your domain for any ssl issue by running test in below link

https://www.sslshopper.com/ssl-checker.html

 

  • vishu_chavan's avatar
    vishu_chavan
    Icon for Altocumulus rankAltocumulus
    Aug 31, 2023

    Thanks for adivise .

    Now i can access website only through Doamin name but not by Ip address.

    All setting sucessfully applied and working .Thanks all

    But just i need some information on iRule

    As per now i have to create separate iRule for every virual server pool .

    Ist possbile to have single iRule which can be applied  for all virtual server . bcoz there is Limit of space size for iRule.

    my current iRule 

    when HTTP_REQUEST {
    switch [string tolower [HTTP::host]] {
    "www.domian.com"
    {
    return
    }
    default {
    reject
    }
    }
    }

     

    • ragunath154's avatar
      ragunath154
      Icon for Cirrostratus rankCirrostratus
      Sep 01, 2023

      hope you have multiple domains mapped to each virtual and need to restrict to request with domain not IP based with a single irule.

      for this you can use the irule with datagroup , where datagroup have list of domains

      eg:

      when HTTP_REQUEST {
      set domain [HTTP::host]

      if {![class match $domain equals mydomain-DG} {
      HTTP::respond 403 "Forbidden"
      drop
      }
      }

      as per this irule if the request doest match the domain in mydomain-DG datagroup then it will be de dorped. ,
      you need to create a datagroup named mydomain-DG and the you domains

      • vishu_chavan's avatar
        vishu_chavan
        Icon for Altocumulus rankAltocumulus
        Sep 01, 2023

        Hi all

        Thanks to all for reply 

        Now my webiste is up and working with domain name , but after making virtual server for Domain

        i am getting incoming interface IP address instead of original Public source ip address in logs for virtual server in firewall which is placed below F5 ( i can see orginal Public source ip address in F5 logs but not in Firewall ) 

        Traffic Flow 

        Public Network-------------->F5--------------------->FIREWALL 

        I am use SNAT for Published Domain.

        Is there any setting in Virtual pool /Server ,where i can get orginal public address in F5 and Firewall  logs.