Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Pawel_1533's avatar
Pawel_1533
Icon for Nimbostratus rankNimbostratus
Jun 04, 2008

URL check in Forwarding IP VS

Hi All,     I'm looking for a way to give servers behind the F5 access to the external resources (Internet). Those servers currently run as pool members serving HTTP services. I've created...
application delivery
dev
devops
irules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jun 04, 2008
Hi Pawel,

If you want to parse the HTTP content from the outbound requests, you'd need to apply an HTTP profile to the VIP. It would probably be easiest to create a second wildcard VIP (destination: 0.0.0.0, mask 0.0.0.0) on port 80 only with a type of 'standard' and then use a rule to parse the HTTP host and/or URI to make decisions about whether to allow the connection to continue. You'd want to disable address translation on the VIP and either forward the traffic from the iRule or set the pool to one containing the BIG-IP's default gateway. This wouldn't work if the connection was encrypted (HTTPS) as you couldn't decrypt the requests to arbitrary hosts. The rule could reference a class (called a datagroup in the GUI) named allowed_http_hosts: 

  
  class allowed_http_hosts {  
     "google.com"  
     "example.com"  
  }  
  

  
  when HTTP_REQUEST {  
      Check if requested host is allowed  
     if {[matchclass [string tolower [HTTP::host]] contains $::allowed_http_hosts]}{  
        log local0. "[IP::client_addr]:[TCP::client_port] allowed request to [HTTP::host][HTTP::uri]"  
        forward  
     } else {  
        log local0. "[IP::client_addr]:[TCP::client_port] rejected request to [HTTP::host][HTTP::uri]"  
        reject  
     }  
  }

Aaron