Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Block access to apps by browser. Allow only iPhone or Android accesss

Alfonso_Santia2
Altostratus
Altostratus

‎16-Jan-2021 23:42

Customer has an application that they want access only through the mobile device app.

They have recently found that the application can be accessed through any browser.

We have configured the following iRule but it is not working:

 when HTTP_REQUEST {

  if { ([HTTP::header User-Agent] contains "iphone") or ([HTTP::header User-Agent] contains "Android") } {

  HTTP::redirect http://www.oursite.com}

  if { ([HTTP::header User-Agent] contains "(IE|Mozilla|Safari|Chrome|Opera)") } {

  drop

  }

  }

 

Any ideas how to achieve this?

 

Thanks

Labels:
0 Kudos
5 REPLIES 5

Daniel_Wolf
MVP
MVP

‎18-Jan-2021 23:31 - last edited on ‎04-Jun-2023 21:06 by Fog

Hi Alfonso,

this iRule should work. However I strongly discourage the use of it. User-Agent Headers can be forged easily. Anyone who knows how to access Developer Tools in a browser can change his User-Agent string to whatever they want.

when HTTP_REQUEST {
    if {([string tolower [HTTP::header "User-Agent"]] contains "iphone") || ([string tolower [HTTP::header "User-Agent"]] contains "android") } {
        return
    } else {
        reject
    }
}
0 Kudos

Alfonso_Santia2
Altostratus
Altostratus
In response to Daniel_Wolf

‎18-Jan-2021 23:58

Hello Daniel,

 

Thanks for your reply. Will try this out but gave caution to customer as well.

What do you suggest how best to go about this requirement - allow only the access through mobile app (iPhone and Android) ?

0 Kudos

Daniel_Wolf
MVP
MVP
In response to Alfonso_Santia2

‎19-Jan-2021 01:07

Without knowing much about the app and the setup (does the customer have APM maybe?) it is difficult to provide a good answer.

Maybe client certificate validation, which can be configured in the client-side SSL profile, could be a better solution?

0 Kudos

jaikumar_f5
MVP
MVP
In response to Alfonso_Santia2

‎20-Jan-2021 08:42

I assume even with APM, its still going to check the user-agent variable & thats going to validate against if it contains "iPhone"  or "android" as such. I think WAF would have this advanced detection.

 

But if the requirement is to allow mobile users alone, then the Irule should work. Anyone who knows to tamper the header, can still get the data.

 

Is the application internal or external facing ?

0 Kudos

Nuhu_2007
Nimbostratus
Nimbostratus

‎23-Dec-2022 13:08

Hi Every One ,

We have about the Same requirement , Please update irule above works or face some problem.

 
0 Kudos
Copyright © 2023 Khoros, LLC