Block Referers By Path or File Type

Problem this snippet solves:

Based on the Block Referal Requests iRule here.

How to use this snippet:

Now with some more configuration parameters:

Code :

# 0=disable checking paths
# 1=check referer if requested URL is in "referer_check_paths" (default allow)
# 2=check referer if requested URL is NOT in "referer_check_paths" (default deny)
set ::setting_check_paths 1

# 0=exact match for path check
# 1=starts_with match of path check
set ::setting_path_check_starts_with 1

# 0=disable filetype checking
# 1=enable filetype checking
set ::setting_check_filetypes 0

# Set appropriate URL to send the user to
set ::error_url "[http://www.example.com/crosslink_not_allowed.html"]

class referer_check_paths {
  "/secure/"
  "/admin/"
  "/authenticated/"
}
class referer_check_filetypes {
  ".gif"
  ".jpg"
  ".jpeg"
  ".bmp"
  ".png"
}
class referer_allowed_hosts {
  "wwwa.example.com"
  "wwwb.example.com"
  "wwwc.example.com"
}

rule check_referers {
when RULE_INIT {

 # 0=disable checking paths
 # 1=check referer if requested URL is in "referer_check_paths" (default allow)
 # 2=check referer if requested URL is NOT in "referer_check_paths" (default deny)
 set ::setting_check_paths 1

 # 0=exact match for path check
 # 1=starts_with match of path check
 set ::setting_path_check_starts_with 1

 # 0=disable filetype checking
 # 1=enable filetype checking
 set ::setting_check_filetypes 0

 # Set appropriate URL to send the user to
 set ::error_url "http://company.com/crosslink_not_allowed.html"

 ### END OF CONFIGURABLE PARAMETERS ###

 if { $::setting_path_check_starts_with == 1 } {
    set ::match_with "starts_with"
    return
 }
 set ::match_with "equals"
}

when HTTP_REQUEST {
 set error 0

 if { $error == 0 && $::setting_check_filetypes == 1 &&
     [matchclass [HTTP::path] ends_with referer_check_filetypes] } {
    set error 1
 }

 if { $error == 0 && $::setting_check_paths == 1 &&
     [matchclass [HTTP::path] $::match_with referer_check_paths] } {
    set error 1
 }

 if { $error == 0 && $::setting_check_paths == 2 &&
     ( not [matchclass [HTTP::path] $::match_with referer_check_paths] ) } {
    set error 1
 }

 if { $error == 0 } {
    return
 }

 set refer_host [string tolower [URI::host [HTTP::header Referer]]]
 if { $refer_host ne "" && [matchclass $refer_host contains referer_allowed_hosts] } {
    return
 }

 set info "  NOTICE: Entry point bypass detected from host: $refer_host"
 append info " client { [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] }"
 append info " ethernet { [string range [LINK::lasthop] 0 16] -> [string range [LINK::nexthop] 0 16] tag [LINK::vlan_id] qos [LINK::qos] }"
 append info " - [HTTP::version] - REDIR [HTTP::is_redirect], Content-Length [HTTP::header Content-Length], Transfer-Encoding [HTTP::header Transfer-Encoding]"
 append info " *TCP MSS([TCP::mss]) BW([TCP::bandwidth]) RTT([TCP::rtt]) OFFSET([TCP::offset])"
 append info " *IP TOS [IP::tos], HOPS [IP::hops], TTL [IP::ttl]"
 append info " *HTTP HOST [HTTP::host], KEEPALIVE [HTTP::is_keepalive], REQ_NUM [HTTP::request_num]"               
 log local0. $info
 # Set cache control headers on the redirect to prevent proxies from caching the response.
 HTTP::respond 302 "Location" $::error_url Cache-Control No-Cache Pragma No-Cache
}
}
Published Mar 16, 2015
Version 1.0
application delivery
devops
iRules
security
No CommentsBe the first to comment