Help with blocking referers

Question

We're migrating from a version 4 appliance to version 9.  We maintain various sites behind our loadbalancers. We want to use block refers linking to our content.&nbsp;
&nbsp;I have a defined a classed based on the sites&nbsp;
&nbsp;class live_sites {
&nbsp;"www.site.com"
&nbsp;"www.site.co.uk"
&nbsp;"www.site.de"
&nbsp;"www.site.eu"
&nbsp;"www.site.fr"
&nbsp;}&nbsp;
&nbsp;Our 4.5 the rule worked. &nbsp;
&nbsp;The version 4.5.x rule we are trying to replicate is as follows:&nbsp;
&nbsp;rule live-sites {
&nbsp; if (http_host == one of live_sites) {
&nbsp;use pool live_pool
&nbsp;}
&nbsp;else {
&nbsp;discard
&nbsp;}
&nbsp;}&nbsp;&nbsp;
&nbsp;I'm having problems trying to achieve the same results in version 9.&nbsp;
&nbsp;when HTTP_REQUEST {
&nbsp;if { [matchclass http::host equals $::live_sites] } {
&nbsp;pool live_pool
&nbsp;} 
&nbsp;else {
&nbsp;discard
&nbsp;}
&nbsp;}&nbsp;
&nbsp;Can anyone offer any assistance?&nbsp;
&nbsp;Thanks in advance.

hooleylist · Answer

If you want to validate that all requests have a host header value equal to the entries in your datagroup, the rule and datagroup you have listed should work.  Just wrap the HTTP::host with square braces: [HTTP::host].  If you want to verify that the host header value value in the request contains  one of the datagroup entries, you could change the "equals" to "contains".&nbsp;
&nbsp;Lastly, if you want to verify that the HTTP Referer header contains a valid host, you could replace [HTTP::host] with [HTTP::header value Referer].&nbsp;
&nbsp;Aaron

helitg_35878 · Answer

Thanks Aaron,&nbsp;
&nbsp;When I use the square braces I get the following error.  FYI, I'm running 9.4.3&nbsp;
&nbsp;01070151:3: Rule [ir_live] error: line 2: [undefined procedure: http::host] [http::host]&nbsp;
&nbsp;iRule listed below
&nbsp;when HTTP_REQUEST {
&nbsp;if { [matchclass [http::host] contains $::live_sites] } {
&nbsp;pool live_pool
&nbsp;} else {
&nbsp;discard
&nbsp;}
&nbsp;}&nbsp;&nbsp;

hooleylist · Answer

HTTP::host is case sensitive.  Can you replace http::host with HTTP::host, and retest?&nbsp;
&nbsp;Aaron

helitg_35878 · Answer

Thanks Aaron!&nbsp;
&nbsp;Spot on.&nbsp;&nbsp;

Forum Discussion

Help with blocking referers

4 Replies

Recent Discussions

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Can iRule be used to perform exception of IPI category based on Geolocation

Related Content

Cloud Docs - F5OS Technical Reference Materials

Deploy the NGINX Modern Apps Reference Architecture locally

Block traffic

domain blocking

Bot Signature based on the referer header