Forum Discussion
NimbostratusBlocking file type by referrer - redirecting afterwards
I found a great script on devcentral that allows us to prevent people from obtaining PDF's from our sites unless they are referred by one of our domains. The script integrated nicely with some custom data groups.
The issue we are having is that I'm not able to redirect users using HTTP::host to our custom 404 page, which is just located at http://domain.com/404.aspx. The iRule doesn't want to save once I change the static redirect to use [HTTP::host]
Can anyone point me in the right direction? I've used HTTP::host and HTTP::uri on several occasions. The code is here:
when RULE_INIT {
0=disable checking paths
1=check referer if requested URL is in "referer_check_paths" (default allow)
2=check referer if requested URL is NOT in "referer_check_paths" (default deny)
set ::setting_check_paths 0
0=exact match for path check
1=starts_with match of path check
set ::setting_path_check_starts_with 0
0=disable filetype checking
1=enable filetype checking
set ::setting_check_filetypes 1
Set appropriate URL to send the user to
This is where the error occurs, will not save
set ::error_url "[HTTP::host]/404.aspx"
END OF CONFIGURABLE PARAMETERS
if { $::setting_path_check_starts_with == 1 } {
set ::match_with "starts_with"
return
}
set ::match_with "equals"
}
when HTTP_REQUEST {
set error 0
if { $error == 0 && $::setting_check_filetypes == 1 &&
[matchclass [HTTP::path] ends_with referer_check_filetypes] } {
set error 1
}
if { $error == 0 && $::setting_check_paths == 1 &&
[matchclass [HTTP::path] $::match_with referer_check_paths] } {
set error 1
}
if { $error == 0 && $::setting_check_paths == 2 &&
( not [matchclass [HTTP::path] $::match_with referer_check_paths] ) } {
set error 1
}
if { $error == 0 } {
return
}
set refer_host [string tolower [URI::host [HTTP::header Referer]]]
if { $refer_host ne "" && [matchclass $refer_host contains referer_allowed_hosts] } {
return
}
set info " NOTICE: Entry point bypass detected from host: $refer_host"
append info " client { [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] }"
append info " ethernet { [string range [LINK::lasthop] 0 16] -> [string range [LINK::nexthop] 0 16] tag [LINK::vlan_id] qos [LINK::qos] }"
append info " - [HTTP::version] - REDIR [HTTP::is_redirect], Content-Length [HTTP::header Content-Length], Transfer-Encoding [HTTP::header Transfer-Encoding]"
append info " *TCP MSS([TCP::mss]) BW([TCP::bandwidth]) RTT([TCP::rtt]) OFFSET([TCP::offset])"
append info " *IP TOS [IP::tos], HOPS [IP::hops], TTL [IP::ttl]"
append info " *HTTP HOST [HTTP::host], KEEPALIVE [HTTP::is_keepalive], REQ_NUM [HTTP::request_num]"
log local0. $info
Set cache control headers on the redirect to prevent proxies from caching the response.
HTTP::respond 302 "Location" $::error_url Cache-Control No-Cache Pragma No-Cache
}
6 Replies
hoolioCirrostratus
Hi Joe,
You should be able to escape the []'s in the variable and then use subst to substitute the command with the command value.
Also, change all the variables you set in RULE_INIT to static:: to preserve CMP compatibility
http://www.tcl.tk/man/tcl8.4/TclCmd/subst.htm https://devcentral.f5.com/wiki/iRules.CMPCompatibility.ashx
when RULE_INIT { ... set static::error_url {http://[HTTP::host]/404.aspx} ... } when HTTP_REQUEST { ... HTTP::respond 302 "Location" [subst $static::error_url] Cache-Control No-Cache Pragma No-Cache ... }Aaron
Joe_PipitoneExcellent hoolio! Let me give this a try. Thank you
- Joe_Pipitone
Strange - when testing, my browser is getting redirected to http://[http::host]/404.aspx
- Kevin_Stewart
Employee
Try this:
when RULE_INIT { set static::error_url {http://[HTTP::host]/404.aspx} } when HTTP_REQUEST { set static::error_url {http://[HTTP::host]/404.aspx} HTTP::respond 302 Location [subst $static::error_url] Cache-Control No-Cache Pragma No-Cache }Just took the curly braces out of the subst statement.
- Joe_Pipitone
Does anyone know if using this iRule will allow us to allow a blank referrer using referer_allowed_hosts? We have some email blasts that go through where people are clicking on links from emails, and they're being blocked as they are coming from a host that isn't allowed (my personal Outlook email for instance)
I tried adding "" to the data group to simulate an empty referrer, but no luck.
The script I am referring to is here:
https://devcentral.f5.com/wiki/irules.BlockReferersByPathorFiletype.ashx
- Joe_PipitoneI think we got this one! Although it's probably a bit messy, it works. It's blocking what it needs to, and is allowing links direct to PDF's in emails to be opened! if { $refer_host == "" || [matchclass $refer_host contains referer_allowed_hosts] } {
