For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Block Referers By Path or File Type

Problem this snippet solves:

Based on the Block Referal Requests iRule here.

How to use this snippet:

Now with some more configuration parameters:

Code :

# 0=disable checking paths
# 1=check referer if requested URL is in "referer_check_paths" (default allow)
# 2=check referer if requested URL is NOT in "referer_check_paths" (default deny)
set ::setting_check_paths 1

# 0=exact match for path check
# 1=starts_with match of path check
set ::setting_path_check_starts_with 1

# 0=disable filetype checking
# 1=enable filetype checking
set ::setting_check_filetypes 0

# Set appropriate URL to send the user to
set ::error_url "[http://www.example.com/crosslink_not_allowed.html"]

class referer_check_paths {
  "/secure/"
  "/admin/"
  "/authenticated/"
}
class referer_check_filetypes {
  ".gif"
  ".jpg"
  ".jpeg"
  ".bmp"
  ".png"
}
class referer_allowed_hosts {
  "wwwa.example.com"
  "wwwb.example.com"
  "wwwc.example.com"
}

rule check_referers {
when RULE_INIT {

 # 0=disable checking paths
 # 1=check referer if requested URL is in "referer_check_paths" (default allow)
 # 2=check referer if requested URL is NOT in "referer_check_paths" (default deny)
 set ::setting_check_paths 1

 # 0=exact match for path check
 # 1=starts_with match of path check
 set ::setting_path_check_starts_with 1

 # 0=disable filetype checking
 # 1=enable filetype checking
 set ::setting_check_filetypes 0

 # Set appropriate URL to send the user to
 set ::error_url "http://company.com/crosslink_not_allowed.html"

 ### END OF CONFIGURABLE PARAMETERS ###

 if { $::setting_path_check_starts_with == 1 } {
    set ::match_with "starts_with"
    return
 }
 set ::match_with "equals"
}

when HTTP_REQUEST {
 set error 0

 if { $error == 0 && $::setting_check_filetypes == 1 &&
     [matchclass [HTTP::path] ends_with referer_check_filetypes] } {
    set error 1
 }

 if { $error == 0 && $::setting_check_paths == 1 &&
     [matchclass [HTTP::path] $::match_with referer_check_paths] } {
    set error 1
 }

 if { $error == 0 && $::setting_check_paths == 2 &&
     ( not [matchclass [HTTP::path] $::match_with referer_check_paths] ) } {
    set error 1
 }

 if { $error == 0 } {
    return
 }

 set refer_host [string tolower [URI::host [HTTP::header Referer]]]
 if { $refer_host ne "" && [matchclass $refer_host contains referer_allowed_hosts] } {
    return
 }

 set info "  NOTICE: Entry point bypass detected from host: $refer_host"
 append info " client { [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] }"
 append info " ethernet { [string range [LINK::lasthop] 0 16] -> [string range [LINK::nexthop] 0 16] tag [LINK::vlan_id] qos [LINK::qos] }"
 append info " - [HTTP::version] - REDIR [HTTP::is_redirect], Content-Length [HTTP::header Content-Length], Transfer-Encoding [HTTP::header Transfer-Encoding]"
 append info " *TCP MSS([TCP::mss]) BW([TCP::bandwidth]) RTT([TCP::rtt]) OFFSET([TCP::offset])"
 append info " *IP TOS [IP::tos], HOPS [IP::hops], TTL [IP::ttl]"
 append info " *HTTP HOST [HTTP::host], KEEPALIVE [HTTP::is_keepalive], REQ_NUM [HTTP::request_num]"               
 log local0. $info
 # Set cache control headers on the redirect to prevent proxies from caching the response.
 HTTP::respond 302 "Location" $::error_url Cache-Control No-Cache Pragma No-Cache
}
}
Published Mar 16, 2015
Version 1.0
application delivery
devops
iRules
security
No CommentsBe the first to comment