Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

Are you an expert?    Interested in presenting at F5 AppWorld 2024?    Submit a proposal by Nov 29th!

IRule and Datagroup to allow the HTTP Referer with only specific values

Thiyagu
Cirrus
Cirrus

‎03-Jan-2021 20:43

Hello All,

Wish you all a very happy new year. I'm working on an iRule with Datagroup to allow HTTP Referer with only specific values. Below is the irule I have tried and for some reason I'm always getting 400 error.

 

Could you please suggest what needs to be done to match the HTTP Referer value with a Data_Group ?

 

=========================================================================

when HTTP_REQUEST {

       set referer_host [URI::host [HTTP::header value Referer]]

       if { [HTTP::header exists "Referer"] }

       {

       if {[matchclass $referer_host contains HTTP_REFERER_ALLOWED_LIST]}

{

       }

       else {

           HTTP::respond 400 content "Bad Request" Content-Type "text/html"

          }

       }

            }

========================================================================

==========Data Group==============

ltm data-group internal HTTP_REFERER_ALLOWED_LIST {

   partition Staging_CC

   records {

       ABC {

           data .abc.com

       }

       XYZ {

           data .xyz.com

       }

   }

   type string

}

===========================================================================

 

Thank a lot in advance.

 

Regards,

Thiyagu

Labels:
0 Kudos
1 REPLY 1

jaikumar_f5
MVP
MVP

‎04-Jan-2021 03:23 - edited ‎21-Mar-2022 02:15

Hi  ,

 

I see 3 things here,

 

  1. Not all requests would have the referer header, so you have to define your logic properly, which I see you covered with 1st If logic.
  2. You are using matchclass which I think were used on version 10.x series. Its deprecated. You have to start using class match options in your IRule. Its not that matchclass would not work, but just saying to follow the best practices.
  3. Datagroups are key/value pairs. You have to lookup for the key (which is the record), not the other way around. Because when I see your datagroup, I see you have put the URL's in values and records as ABC, XYZ. Hope you are not confused that lookups are done on values as well. Also the validations are all case-sensitives.

 

So when the Irule executes, as per your logic, it will collect the referer, lets say referer_host is set with abc.com. Then this is checked against your datagroup, but all your records are in upper case (ABC, XYZ). So nothing will match even with contains. Its a good practice to always perform string to lower, but all host values are often on lower string, so you have to change your datagroup to lowercase.

 

Hope this helps. Keep us posted.

0 Kudos
Copyright © 2023 Khoros, LLC