Forum Discussion

Tony_Bushell_90's avatar
Tony_Bushell_90
Icon for Nimbostratus rankNimbostratus
Jun 17, 2010

How to reject based on an IP?

hi - I have a customer who is trying to publish a http site but they want to reject any requests that come if someone just uses the IP address or some other DNS A or cname, and i was hoping someone could point me in the right direction. thanks!
application delivery
dev
devops
iRules

3 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jun 17, 2010
    Hi Tony,

    If you create a datagroup (type: string) of legal or illegal HTTP host header values you can use an iRule like this to check the requested Host header value against it. You can also add a check to see that the Host header value isn't an IP address: 

    
when HTTP_REQUEST {

    Check the Host against a datagroup of legal host header values
   if {not ([matchclass [string tolower [HTTP::host]] equals legal_host_headers_class])}{
      HTTP::respond 403 content {Forbidden!}
      return
   }

    Check the Host against a datagroup of illegal host header values
   if {[matchclass [string tolower [HTTP::host]] equals illegal_host_headers_class]}{
      HTTP::respond 403 content {Forbidden!}
      return
   }

    Check if the Host is an IP address, blank or non-existent
   if {not ([string match {*[a-zA-Z]*} [HTTP::host]])}{
      HTTP::respond 403 content {Forbidden!}
   }
}

    Aaron
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jun 17, 2010
    Make sure to customize the iRule as the customer needs. For example, you probably wouldn't bother with a black list of HTTP hosts if you're using a white list. Also, you may not want to block clients who don't send any host header as one isn't required for HTTP 1.0.

     

     

    Aaron