iRule to hide internal URL from users

Question

the thing i'm trying to accomplish is that once an external user gets to their /pages/morepages/sales.aspx page, they cannot go up to a higher level in the domain... I'm not sure what the best way to do this is... I have the ASM module so I'm guessing I'll need some form of filter. I also wouldn't mind hiding the URI from the user, so all they see is external.domain.com wherever they go... anyway, i'm sure this is a topic for another forum..

so first and foremost, i'm having trouble getting the 1st piece taken care of... with an iRule to get the redirect and/or rewrite to take place... i'm a noob and this is my 1st post. i'm on v11, APM & ASM and am going to a training class next week, just trying to get some tasks accomplished prior...

i'm guessing i'll need a redirect or host replacement for incoming traffic, and then some kind of rewrite on the response to the client because internal.domain.com is not in public dns? I'm hoping the rewrite will take care of relative URLs?...

thanks...

hooleylist · Answer

Hi, 
&nbsp;  
&nbsp; Are you trying to restrict access for security reasons or to mask the internal hostname?  If the latter, you can use the ProxyPass iRule to present an external hostname (and/or URI) and use an internal hostname (and/or URI) for the pool. 
&nbsp;  
&nbsp; http://devcentral.f5.com/wiki/iRules.proxypassv10.ashx 
&nbsp;  
&nbsp; Aaron

gh0std0g_79292 · Answer

Yes, we have to restrict access for security reasons... So external users should only be able to get to URIs below their 'sales' page: 
&nbsp; /pages/morepages/sales.aspx 
&nbsp;  
&nbsp; But i would prefer not to publish the internal hostname and/or URI to the public. &nbsp;

hooleylist · Answer

Sorry I missed your reply here.  It's not really feasible (read: effective and efficient) to use iRules to do directory restrictions for IIS, due to the number of ways that IIS accepts URIs.  See this post for examples of why: 
&nbsp;  
&nbsp; https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/30900/showtab/groupforums/Default.aspx31324 
&nbsp;  
&nbsp; The ProxyPass iRule will allow you to proxy requests to an internal URL and path, but won't restrict who can request which URIs. 
&nbsp;  
&nbsp; Aaron

hooleylist · Answer

And I forgot to mention, ASM is an effective way to enforce path restrictions.  ASM is able to normalize the different encoding methods a malicious user could try to bypass restrictions with.  It should be fairly straightforward to do this within ASM.  Note that if you use ProxyPass on an ASM virtual server, the hostnames and/or URIs ASM gets will have already been rewritten by ProxyPass. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

iRule to hide internal URL from users

4 Replies

Recent Discussions

Port Group on F5OS network setting

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Unwinding the Benefits of Investing in White Label Crypto Wallet

SMTP profile not visible & showing

About AWAF "Redirect URLs" in "Responses and Blocks"

Related Content

DEVCENTRAL END-USER LICENSE AGREEMENT

2 internal server vlans

Use BIG-IP LTM Virtual Server & iRule for an internal "What's My IP" website

Update your DevCentral user profile

Irule for diverting blocked gelocation users to a page