Forum Discussion

Joe_Pipitone's avatar
Joe_Pipitone
Icon for Nimbostratus rankNimbostratus
Sep 09, 2013

Blocking file type by referrer - redirecting afterwards

I found a great script on devcentral that allows us to prevent people from obtaining PDF's from our sites unless they are referred by one of our domains. The script integrated nicely with some custom data groups.

The issue we are having is that I'm not able to redirect users using HTTP::host to our custom 404 page, which is just located at http://domain.com/404.aspx. The iRule doesn't want to save once I change the static redirect to use [HTTP::host]

Can anyone point me in the right direction? I've used HTTP::host and HTTP::uri on several occasions. The code is here:

 


when RULE_INIT {
 0=disable checking paths
  1=check referer if requested URL is in "referer_check_paths" (default allow)
  2=check referer if requested URL is NOT in "referer_check_paths" (default deny)
 set ::setting_check_paths 0
 0=exact match for path check
  1=starts_with match of path check
 set ::setting_path_check_starts_with 0
 0=disable filetype checking
  1=enable filetype checking
 set ::setting_check_filetypes 1
 Set appropriate URL to send the user to
  This is where the error occurs, will not save
set ::error_url "[HTTP::host]/404.aspx"
 END OF CONFIGURABLE PARAMETERS 
if { $::setting_path_check_starts_with == 1 } {
    set ::match_with "starts_with"
    return
 }
 set ::match_with "equals"
}
when HTTP_REQUEST {
 set error 0
if { $error == 0 && $::setting_check_filetypes == 1 &&
     [matchclass [HTTP::path] ends_with referer_check_filetypes] } {
    set error 1
 }
if { $error == 0 && $::setting_check_paths == 1 &&
     [matchclass [HTTP::path] $::match_with referer_check_paths] } {
    set error 1
 }
if { $error == 0 && $::setting_check_paths == 2 &&
     ( not [matchclass [HTTP::path] $::match_with referer_check_paths] ) } {
    set error 1
 }
if { $error == 0 } {
    return
 }
set refer_host [string tolower [URI::host [HTTP::header Referer]]]
 if { $refer_host ne "" && [matchclass $refer_host contains referer_allowed_hosts] } {
    return
 }

 

 

set info "  NOTICE: Entry point bypass detected from host: $refer_host"
 append info " client { [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] }"
 append info " ethernet { [string range [LINK::lasthop] 0 16] -> [string range [LINK::nexthop] 0 16] tag [LINK::vlan_id] qos [LINK::qos] }"
 append info " - [HTTP::version] - REDIR [HTTP::is_redirect], Content-Length [HTTP::header Content-Length], Transfer-Encoding [HTTP::header Transfer-Encoding]"
 append info " *TCP MSS([TCP::mss]) BW([TCP::bandwidth]) RTT([TCP::rtt]) OFFSET([TCP::offset])"
 append info " *IP TOS [IP::tos], HOPS [IP::hops], TTL [IP::ttl]"
 append info " *HTTP HOST [HTTP::host], KEEPALIVE [HTTP::is_keepalive], REQ_NUM [HTTP::request_num]"             
 log local0. $info
  Set cache control headers on the redirect to prevent proxies from caching the response.
 HTTP::respond 302 "Location" $::error_url Cache-Control No-Cache Pragma No-Cache
}

 

application delivery
devops
iRules

6 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Sep 09, 2013

    Hi Joe,

    You should be able to escape the []'s in the variable and then use subst to substitute the command with the command value.

    Also, change all the variables you set in RULE_INIT to static:: to preserve CMP compatibility

    http://www.tcl.tk/man/tcl8.4/TclCmd/subst.htm https://devcentral.f5.com/wiki/iRules.CMPCompatibility.ashx

     

    when RULE_INIT {
   ...
   set static::error_url {http://[HTTP::host]/404.aspx}
   ...
}
when HTTP_REQUEST {
   ...
   HTTP::respond 302 "Location" [subst $static::error_url] Cache-Control No-Cache Pragma No-Cache
   ...
}

     

    Aaron

  • Joe_Pipitone's avatar
    Joe_Pipitone
    Icon for Nimbostratus rankNimbostratus
    Sep 09, 2013

    Strange - when testing, my browser is getting redirected to http://[http::host]/404.aspx

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 09, 2013

    Try this:

     

    when RULE_INIT {
    set static::error_url {http://[HTTP::host]/404.aspx}
}
when HTTP_REQUEST {
    set static::error_url {http://[HTTP::host]/404.aspx}
    HTTP::respond 302 Location [subst $static::error_url] Cache-Control No-Cache Pragma No-Cache
}

     

    Just took the curly braces out of the subst statement.

  • Joe_Pipitone's avatar
    Joe_Pipitone
    Icon for Nimbostratus rankNimbostratus
    Sep 09, 2013

    Does anyone know if using this iRule will allow us to allow a blank referrer using referer_allowed_hosts? We have some email blasts that go through where people are clicking on links from emails, and they're being blocked as they are coming from a host that isn't allowed (my personal Outlook email for instance)

     

    I tried adding "" to the data group to simulate an empty referrer, but no luck.

     

    The script I am referring to is here:

     

    https://devcentral.f5.com/wiki/irules.BlockReferersByPathorFiletype.ashx

     

    • Joe_Pipitone's avatar
      Joe_Pipitone
      Icon for Nimbostratus rankNimbostratus
      Sep 09, 2013
      I think we got this one! Although it's probably a bit messy, it works. It's blocking what it needs to, and is allowing links direct to PDF's in emails to be opened! if { $refer_host == "" || [matchclass $refer_host contains referer_allowed_hosts] } {