Forum Discussion

reldar_76465's avatar
reldar_76465
Icon for Nimbostratus rankNimbostratus
Sep 14, 2011

Allowing access by referrer

Hi,

 

I have a client who wants to exclusively connect to a web site we created for them. we agreed to do this by identifying the referrer they are coming to our site with.

 

As they are coming from an https site, I added SSL to our site as well so I can capture the referrer (linking from https to http drops the referrer).

 

I setup the following rule for this:

 

 

 

when HTTP_REQUEST {

 

 

switch -glob [HTTP::path] {

 

 

"*/handlers/*" { }

 

 

default {

 

switch -glob [HTTP::header "Referer"] {

 

"https://www.example.com/*" {

 

HTTP::redirect "https://www.oursite.com"

 

}

 

 

"www.oursite.com/*" { }

 

 

"" { HTTP::respond 403 content "" }

 

}

 

}

 

 

}

 

}

 

 

 

the first part with the /handlers/ in the path is because our site is loading itself to load a component in it, this is how I solved this part.

 

I need a redirect because I want the address to change when going to our site.

 

 

this iRule is installed on the virtual server of the https site.

 

 

The problem: the redirect is going into a loop. any ideas?

 

Thanks.

 

application delivery
dev
devops
iRules

4 Replies

Sort By
  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Sep 14, 2011
    Hi reldar,

     

     

    Could you provide some additional information on the redirect loop that you are referring?

     

     

    If you are looking for a Referer "https://www.example.com" and it is redirecting to a different URL "https://www.oursite.com", is that second URL on the same Virtual Server? If not, then how are you getting into a loop?

     

     

  • reldar_76465's avatar
    reldar_76465
    Icon for Nimbostratus rankNimbostratus
    Sep 15, 2011
    OK, so it's getting more complicated.

     

    We cannot support https on our site so I have to redirect the traffic to http which is a different virtual server for the same site.

     

    There I still need an irule in place as I still need to filter traffic coming to it. but once redirected from the https virtual server to the http virtual server, the referrer is dropped.

     

    So I guess I need to add some kind of a cookie on the https irule and look for it on the http irule and allow access.

     

    Any ideas how this can be set?

     

     

    many thanks for the help

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Sep 15, 2011
    It's a bad security practice to depend on the Referer header to verify whether a request should allowed to a web app. The referer header (and all other HTTP headers) can easily be spoofed by a malicious client. It would be much more secure to use some authentication mechanism to enforce access control. Or worst case, lock access down by source IP address.

     

     

    Aaron
  • reldar_76465's avatar
    reldar_76465
    Icon for Nimbostratus rankNimbostratus
    Sep 15, 2011

    yes, that;s true and I'm aware of this, but this is how the client wants to do this.

     

     

     

    also, the IP option is not feasable as the site referring to me is open from everywhere to everyone, so there is no one IP or a group of IP's I can allow.

     

     

     

    does someone have an idea where i can find an example of how to add a cookie to a session, and how to allow access by a cookie?

     

     

    many thanks for the help.