Forum Discussion

Tosin_Omojola's avatar
Tosin_Omojola
Icon for Altostratus rankAltostratus
Oct 21, 2016

Grant Access To Users Based on Referer Header Value

I want to grant access to users based on a referrer value and to redirect them to login if the referrer is invalid. This is not meant to be a security fix though, it is just to ensure users access the application FROM the company portal which they must login to. According to the config below:

    when HTTP_REQUEST { 

    switch -glob [HTTP::header "Referer"] {
        "http://click.bank.com/dashboard.php" {
           Coming from the right page. Allow Request to go through...

        if { [string tolower [HTTP::uri]] ends_with "/eod" }  {
            pool BankAppPool member 10.10.1.51 8888
            log local0. "Requested path - admin sent to App1"
             log local0. "clientIP:[IP::client_addr] accessed [HTTP::host][HTTP::uri]"
            HTTP::redirect "/forms/frmservlet?config=ref&serveruserparams=NLS_LANG=AMERICAN_AMERICA.AR8MSWIN1256&otherparams=P_WST_LAN_IND=1+P_BANKS_APP_URL=http://10.10.1.51:9001/banks"
        HTTP::redirect "http://10.10.1.51:9001/forms/frmservlet?config=ref&serveruserparams=NLS_LANG=AMERICAN_AMERICA.AR8MSWIN1256&otherparams=P_WST_LAN_IND=1+P_BANKS_APP_URL=http://10.10.1.51:9001/banks"

        } elseif { [string tolower [HTTP::uri]] ends_with "/" }{
        log local0. "Requested path - distribute Round robin"

            HTTP::redirect "http://pam.bank.com:9001/forms/frmservlet?config=ref&serveruserparams=NLS_LANG=AMERICAN_AMERICA.AR8MSWIN1256&otherparams=P_WST_LAN_IND=1+P_BANKS_APP_URL=http://10.10.1.57:9001/banks"
        log local0. &8220;Requested path - banks" 
            }

        }
        "" {
redirect to login page
    HTTP::redirect "http://click.bank.com/index.php?resp_id=MLG"

        }
        default {
        redirect to login page
          HTTP::redirect "http://click.bank.com/index.php?resp_id=MLG"

        }
      }

    }

The redirect is working very fine as defined but the application accepting the request for valid navigation fails to load. It just hangs indefinitely. It works fine without the referrer-based redirect but, once the referrer check is introduced, it doesn't load. Is there something I'm missing in the iRule definition? Please help. Thank you!

application delivery
BIG-IP
iRules

3 Replies

Sort By
  • jgranieri's avatar
    jgranieri
    Icon for Nimbostratus rankNimbostratus
    Oct 21, 2016

    You can do this much easier with LTM Policies... they are basically these types of irules built using the GUI.

     

    Try it it will be much easier to implement. i think there might be some contention with the switch statement and then if's. i'd recommend using exclusive if/elseif's or trying the ltm policy

     

  • Vijay_E's avatar
    Vijay_E
    Icon for Cirrus rankCirrus
    Oct 21, 2016

    You are redirecting to an IP address 10.10.1.51 - do all clients have the route to get to this IP address ?

     

  • Tosin_Omojola's avatar
    Tosin_Omojola
    Icon for Altostratus rankAltostratus
    Oct 25, 2016

    This is the final solution that worked:

    I created another VS 10.10.1.60 ( and a subdomain that points to the IP) and added this iRule to it:

    when HTTP_REQUEST { 
    set referrer_host [URI::host [HTTP::header value Referer]]
    if { ($referrer_host ne "") and ($referrer_host eq "click.sbank.com") } {

        if  { [string tolower [HTTP::uri]] ends_with "/eod" }  {
        HTTP::redirect "http://pam.banks.com/eod"

        } elseif { [string tolower [HTTP::uri]] ends_with "/" }{
        HTTP::redirect "http://pam.bank.com"
        }

    } else { HTTP::redirect "http://click.bank.com/index.php?resp_id=MLG"} 
}

    Then, on the main VS hosting the resource pam.banks.com, the normal iRule remains.

    when HTTP_REQUEST { 

        if  { [string tolower [HTTP::uri]] ends_with "/eod" }  {
        HTTP::redirect "http://10.10.1.51:9001/forms/frmservlet?config=ref&serveruserparams=NLS_LANG=AMERICAN_AMERICA.AR8MSWIN1256&otherparams=P_WST_LAN_IND=1+P_BANKS_APP_URL=http://10.10.1.51:9001/banks"

        } elseif { [string tolower [HTTP::uri]] ends_with "/" }{
        HTTP::redirect "http://pam.bank.com:9001/forms/frmservlet?config=ref&serveruserparams=NLS_LANG=AMERICAN_AMERICA.AR8MSWIN1256&otherparams=P_WST_LAN_IND=1+P_BANKS_APP_URL=http://10.10.1.57:9001/banks"
        }

    }

    That delivers the desired solution...