cancel
Showing results for 
Search instead for 
Did you mean: 

iRule Redirect with URL Masking

Xaveri
Nimbostratus
Nimbostratus

Hello,

 

Can someone please tell me if it is possible to achieve the scenario I am trying to accomplish using iRule?

 

We are currently using a SaaS-based application which has a weird URL and it is not easy to remember (e.g. https://214124124.sdsddasd.com:10020). What I am looking to achieve is that when a user enters the URL https://mytestsite, it should be able to redirect to the SaaS-based application without changing the URL in the address bar. It should stay mytestsite.

5 REPLIES 5

Hamish
Cirrocumulus
Cirrocumulus

The short answer is no... That's a big security hole if it was possible

 

H

Hamish
Cirrocumulus
Cirrocumulus

Of course if you have control over the clients browser you could disable the security and return a page with an iframe that loads the remote site... but that's not a good idea.

Xaveri
Nimbostratus
Nimbostratus

Hi Hamish. Can you explain how is that a security hole?

Hamish
Cirrocumulus
Cirrocumulus

The URL bar is the mechanism by which the user checks to make sure they're accessing the page they thought they were accessing. It should show you the actual pageURL, the certificate in use, whether that's the right cert (trusted) or not etc.

 

Mess with it at your peril.

 

Checkout these fun attacks

 

https://owasp.org/www-community/attacks/Cross_Frame_Scripting

https://owasp.org/www-community/attacks/Clickjacking

https://owasp.org/www-community/attacks/csrf

https://owasp.org/www-community/attacks/xss/

 

Anything you do to disable the security to allow you to do what you want... Is going to leave you (More) vulnerable to these and other attacks.

 

Here's why even commercial sites that make their money from redirecting don't support URL masking

 

https://www.easyredir.com/blog/why-you-should-not-use-url-masking-forwarding-cloaking/

 

Because it's just not safe...

 

Josiah_Henn
F5 Employee
F5 Employee

Do you own https://mytestsite?

 

Then, yes, you can do it, but not via a "redirect", it's done via foward proxy. Essentially https://mytestsite is your vip and https://214124124.sdsddasd.com:10020 is your pool.

 

If you application requires hostheader to be 214124124.sdsddasd.com and not mytestsite to work, then you will need to also modify the host header on the wire. This function may not be needed, it depends on your app, it is a function popularly known as "ProxyPass". You can Google "ProxyPass irule" or alternatively do it with LTM Profiles, if such functionality is required.