Forum Discussion

Alexandre_Marko's avatar
Alexandre_Marko
Icon for Nimbostratus rankNimbostratus
Dec 02, 2011

Block access to a pool if url not accessed from a trusted domain

Hello,

 

 

Here is the problem:

 

We have 2 websites, one with SSL and one in clear.

 

The F5 is ending ths SSL.

 

 

 

The 2 websites have their own Virtual Server with their own pool.

 

 

 

Actually we can access the 2 websites independantly.

 

 

 

We want to authorise the access to the second website (the one in http) only if we are accessing it from a link on the first website (in https).

 

 

 

Is there a way to get the origin of a user when accessing a website?

 

We could use this "variable" [probably in a HTTP_REQUEST irule] to allow or not the access to the pool.

 

 

 

Regards,

 

application delivery
dev
devops
iRules

2 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 02, 2011
    is http referer header useful?

     

     

    iRule Security 101 - 06 - HTTP Referer by Joe

     

    http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/113/iRule-Security-101--06--HTTP-Referer.aspx
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Dec 02, 2011
    I don't think a browser will set a Referer header when transitioning from an HTTPS site to an HTTP site:

     

     

     

    http://tools.ietf.org/html/rfc2616section-15.1.3

     

     

    Clients SHOULD NOT include a Referer header field in a (non-secure)

     

    HTTP request if the referring page was transferred with a secure

     

    protocol.

     

     

     

    And the referer header can easily be spoofed, so using it for authorization isn't a secure method.

     

     

    If the two FQDNs are on the same domain, you could try setting a session cookie on the HTTPS virtual server and store that in a subtable. Then when a request is made to the HTTP virtual server, you could look for the cookie and check it against the subtable entries.

     

     

    Aaron