For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dexthor_22173's avatar
dexthor_22173
Icon for Nimbostratus rankNimbostratus
May 16, 2011

Skip rewriting of External URLs

I am new to F5 iRules, so please bear with me.

 

 

Situation:

 

0. Assume my domain is homedomain.com.

 

1. An Extranet of several existing applications and Portal pages.

 

2. Some of the links on the Applications & Portals point to our partner sites (partner1.com; partner2.com).

 

 

 

My requirement:

 

When the user clicks on the partner link, currently F5 is rewriting it to proxy the external links.

 

My need is to skip/bypass rewriting of any URLs that do not belong to homedomain.com.

 

Also, I would like to define a "white list of trusted partners" and block all others (For example: to avoid phishing).

 

 

How can I achieve that using iRules ?

 

 

Many thanks

 

Dexthor.

 

application delivery
dev
devops
iRules

2 Replies

  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    May 16, 2011
    Hi Dexthor,

     

    I believe you can.

     

     

    I think you might want to take a look at the following wiki section for STREAM::expressions. The 4th and 5th Example depicts pretty closely to what you want started.

     

    Click Here

     

     

     

    In regards to drawing up a while list you should read the following forum that uses datagroups within the STREAM expression;

     

    Click Here

     

     

    Combining these 2 pieces of information should get close to what you are looking for.

     

     

    You can always post details about current method you are using to rewrite the links. That would help us in the forums to be a bit more specific.

     

     

    Bhattman

     

     

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 17, 2011
    As Bhattman said, I think the last example is closest for doing validation of the links. If you provide more exact (but anonymized) examples of the response content you do and don't want to rewrite, we can give you more specific ideas on how to implement it. You could potentially have a whitelist of domains in a string datagroup and then use the class command to check the domains in the STREAM_MATCHED event: 

     From: http://devcentral.f5.com/Wiki/default.aspx/iRules/STREAM__expression
when HTTP_REQUEST {
    Disable the stream filter for all requests
   STREAM::disable
}
when HTTP_RESPONSE {  

    Check if response type is text  
   if {[HTTP::header value Content-Type] contains "text"}{  

       Match an http://*example.com string and replace it with nothing yet
      STREAM::expression {&http://.*?example\.com&&}

       Enable the stream filter for this response only  
      STREAM::enable  
   }  
}   
when STREAM_MATCHED {  

    Check if the matched string meets some condition that can't easily be checked for using a single regex in STREAM::expression
   if {[STREAM::match] starts_with "host1"}{

       Replace http:// with https:// and do the replacement
      STREAM::replace "[string map {http:// https://} [STREAM::match]]"
      log local0. "[IP::client_addr]:[TCP::local_port]: matched: [STREAM::match], replaced with: [string map {http:// https://} [STREAM::match]]"  
   }
}

    http://devcentral.f5.com/Wiki/default.aspx/iRules/class

    Aaron