Security headers irule issue

Hi

I do not this  switch -glob synthax is correct (with | to match any of the headers). You will probable have to use if, or to concatenate the thress headers before you do your comarison, taking care of input validation as thos can be altered by the client.

If I have a few minutes this afternoon, I'll try to provide you a detailed solution.

Yoann

Hopefully this does the trick 🙂

when HTTP_REQUEST {
 
set domains { "xxxx.net" "xxxx.com" }
set matched 0
 
foreach header { "Referer" "Origin" "X-Forwarded-Host" } {
log local0. "$header - [HTTP::header $header] : [lsearch -exact $domains [HTTP::header $header]]"
    if { ! ( [lsearch -exact $domains [HTTP::header $header]] equals "-1" ) } {
        incr matched
    }
 
}
 
if { $matched > 0 } {
    pool emx-pool
} else {
    HTTP::respond 200 content "
 
<HTML>
 
<HEAD>
 
<TITLE>Rejected Request</TITLE>
 
</HEAD>
 
<BODY>The request was rejected. <BR>The server is trying to redirect the client to an external site, but it is forbidden</BODY>
 
</HTML>"
 
    
}
 
 
}

Thank you Yoann for your response, i tested the rule and it is still hitting the else part and returning the body content,

One more thing i would like to highlight is, the domain for the URL is (test.xxx.net & test.xxx.com), in the rule, we are referencing the base domain (xxx.net & xxx.com), is this an issue, please take a look.

Hi

Of course. You can adapt the irule now to match precisely your search patttern.

Just replace the values I added by the real ones.

Or you can also use lsearch -glob instead of lsearch -exact.

https://www.tcl.tk/man/tcl8.4/TclCmd/lsearch.htm

Yoann