Forum Discussion
Pawel_1533
Nimbostratus
NimbostratusURL check in Forwarding IP VS
Hi All,
I'm looking for a way to give servers behind the F5 access to the external resources (Internet). Those servers currently run as pool members serving HTTP services. I've created new Forwarding IP virtual server so they initiate outgoing connections. However I'd like to limit that access to a certain URLs like google.com or some other RSS feeds. Is it possible to limit it somehow using iRules or other BigIP functionality? I cannot achieve the same using firewall's rules as URLs usually convert to many (and changing from time to time) IPs.
Regards,
Pawel
2 Replies
hoolioCirrostratus
Hi Pawel,
If you want to parse the HTTP content from the outbound requests, you'd need to apply an HTTP profile to the VIP. It would probably be easiest to create a second wildcard VIP (destination: 0.0.0.0, mask 0.0.0.0) on port 80 only with a type of 'standard' and then use a rule to parse the HTTP host and/or URI to make decisions about whether to allow the connection to continue. You'd want to disable address translation on the VIP and either forward the traffic from the iRule or set the pool to one containing the BIG-IP's default gateway. This wouldn't work if the connection was encrypted (HTTPS) as you couldn't decrypt the requests to arbitrary hosts. The rule could reference a class (called a datagroup in the GUI) named allowed_http_hosts:class allowed_http_hosts { "google.com" "example.com" }when HTTP_REQUEST { Check if requested host is allowed if {[matchclass [string tolower [HTTP::host]] contains $::allowed_http_hosts]}{ log local0. "[IP::client_addr]:[TCP::client_port] allowed request to [HTTP::host][HTTP::uri]" forward } else { log local0. "[IP::client_addr]:[TCP::client_port] rejected request to [HTTP::host][HTTP::uri]" reject } }
Aaron
Pawel_1533It works fine. Thanks a lot Aaron.
Regards,
Pawel
