Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 

Drop requests with changes in hostname.


This is the iRule of customer:

if { not ([string tolower [HTTP::host]] equals "") } {
log local0. "400 [HTTP::host]"
HTTP::respond 400 -version auto content "Bad Request" "Content-Type" "text/html"
elseif { not ([string tolower [HTTP::uri]] starts_with "/etest") } {
log local0. "302 [HTTP::host] [HTTP::uri]"
HTTP::respond 302 -version auto Location[HTTP::uri]

What happens now with this iRule is that all legitimate requests are being redirectd to but they have other uri on the host (ex.

According to the customer what they want is when a client changes the host name to for example, the VIP should not respond with 200 OK. But requests with correct hostname will be passed with correct URI.
That is, requests with will go to or to But requests with or are dropped with a message.

This requirement is for Host Injection vulnerability.

Any advise on what to change on the above iRule?



@Alfonso_Santia2 Based on the customer request you do not have to issue the 302 redirect unless for some reason you are going from HTTP to HTTPS which doesn't seem to have been specified in the information provided above for the desired behavior. Because this was not mentioned the following iRule should do what you are expecting and it does not have a redirect because again that doesn't seem to be part of the expected behavior. If this is indeed an iRule associated to an HTTP virtual server (VS) and it needs to redirect to HTTPS we can amend the iRule accordingly. You can also adjust the logging line in the else part of the if else statement to provide other data rather than just "Is host ${host}" in the output to your log.

when CLIENT_ACCEPTED priority 500 {

    set DEFAULT_POOL [LB::server pool]


when HTTP_REQUEST priority 500 {

    set HOST [HTTP::host]

    if { ${HOST} != "" } {
        log local0. "400 ${HOST}"
        HTTP::respond 400 -version auto content "Bad Request" "Content-Type" "text/html"
    } else {
        log local0. "Is host ${HOST}"
        pool $DEFAULT_POOL



Thank you for your reply. We will test this during the weekend and inform you what happens. Thanks again.