Limit_ Access_to_ Akamai_ Origin

Problem this snippet solves:

For environments leveraging Akamai's Dynamic Site Accelerator, this rule limits origin access to traffic coming through Akamai. When Akamai sends traffic to a site's origin, it inserts a header named "True-Client-IP" which contains the original requester's IP address. This rule checks to see if a user 1) has the True-Client-IP header, 2) has an IP address that matches a data group called whitelist which could be used for customers who want to test their site without going through Akamai, and 3) is trying to get to Akamai's SureRoute test object.

If none of those conditions are met, this rule sends a HTTP - 403 Unauthorized back to the user. This can be replaced by "discard" or "reject," depending on a user's needs. By utilizing this rule, an administrator ensures customers are going through Akamai for their content and thus ensuring all users get the same experience.

Code :

when HTTP_REQUEST {
    if { not ([HTTP::header exists "True-Client-IP"] or [class match [IP::client_addr] eq whitelist] or [HTTP::uri] eq /akamai-sureroute-test-object)} {
      HTTP::respond 403 } }
Published Mar 18, 2015
Version 1.0

Was this article helpful?

No CommentsBe the first to comment