cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

IRule and Datagroup to allow the HTTP Referer with only specific values

Thiyagu
Altocumulus
Altocumulus

Hello All,

Wish you all a very happy new year. I'm working on an iRule with Datagroup to allow HTTP Referer with only specific values. Below is the irule I have tried and for some reason I'm always getting 400 error.

 

Could you please suggest what needs to be done to match the HTTP Referer value with a Data_Group ?

 

=========================================================================

when HTTP_REQUEST {

       set referer_host [URI::host [HTTP::header value Referer]]

       if { [HTTP::header exists "Referer"] }

       {

       if {[matchclass $referer_host contains HTTP_REFERER_ALLOWED_LIST]}

{

       }

       else {

           HTTP::respond 400 content "Bad Request" Content-Type "text/html"

          }

       }

            }

========================================================================

==========Data Group==============

ltm data-group internal HTTP_REFERER_ALLOWED_LIST {

   partition Staging_CC

   records {

       ABC {

           data .abc.com

       }

       XYZ {

           data .xyz.com

       }

   }

   type string

}

===========================================================================

 

Thank a lot in advance.

 

Regards,

Thiyagu

1 REPLY 1

Hi  ,

 

I see 3 things here,

 

  1. Not all requests would have the referer header, so you have to define your logic properly, which I see you covered with 1st If logic.
  2. You are using matchclass which I think were used on version 10.x series. Its deprecated. You have to start using class match options in your IRule. Its not that matchclass would not work, but just saying to follow the best practices.
  3. Datagroups are key/value pairs. You have to lookup for the key (which is the record), not the other way around. Because when I see your datagroup, I see you have put the URL's in values and records as ABC, XYZ. Hope you are not confused that lookups are done on values as well. Also the validations are all case-sensitives.

 

So when the Irule executes, as per your logic, it will collect the referer, lets say referer_host is set with abc.com. Then this is checked against your datagroup, but all your records are in upper case (ABC, XYZ). So nothing will match even with contains. Its a good practice to always perform string to lower, but all host values are often on lower string, so you have to change your datagroup to lowercase.

 

Hope this helps. Keep us posted.