Forum Discussion

formiarevo_2065's avatar
formiarevo_2065
Icon for Nimbostratus rankNimbostratus
Jun 15, 2015
Solved

How to deny the request with the Host:IP address in the request header, not Host:the domain name.

Hi All,

 

I have a LTM device with version 11.6.0.

 

I would like to deny the HTTP request that the host value is IP address.

 

For example, Our website, test.com has a VIP, 1.1.1.1.

 

  • I want to deny the user typing the IP address 1.1.1.1 on the browser and directly accessing our web site. On the other hand I want to allow the user typing the www.test.com on the browser.

To achieve this purpose, I have to the iRule. Is it impossible with out iRule?

 

Thanks Mia.

 

application delivery
LTM
management
security
TMOS
  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Jun 15, 2015

    Yes, using an iRule is recommended here. Since you said you're using v11.6, you can also use what is called an LTM Policy(Local Traffic -> Policy) for such purpose. There are SOL arcitles that explain the topic.

    If you want to use an iRule:

    when HTTP_REQUEST {

  if { [HTTP::host] == "1.1.1.1" }{
    reject  If you want to send TCP-RST as a response (Connection has been reset error will occur)
    TCP::close  If you want to drop the request (Timeout will occur)    
    log local0. "[IP::client_addr] Denied access to <[HTTP::host][HTTP::uri]>"
  }
}

4 Replies

Sort By
  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Jun 15, 2015

    Yes, using an iRule is recommended here. Since you said you're using v11.6, you can also use what is called an LTM Policy(Local Traffic -> Policy) for such purpose. There are SOL arcitles that explain the topic.

    If you want to use an iRule:

    when HTTP_REQUEST {

  if { [HTTP::host] == "1.1.1.1" }{
    reject  If you want to send TCP-RST as a response (Connection has been reset error will occur)
    TCP::close  If you want to drop the request (Timeout will occur)    
    log local0. "[IP::client_addr] Denied access to <[HTTP::host][HTTP::uri]>"
  }
}
    • formiarevo_2065's avatar
      formiarevo_2065
      Icon for Nimbostratus rankNimbostratus
      Jun 15, 2015
      Wow~ Good Answer! I tested LTM Policy as you said. So easy. Thanks Hannes, Mia.
  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Icon for Nacreous rankNacreous
    Jun 15, 2015

    Yes, using an iRule is recommended here. Since you said you're using v11.6, you can also use what is called an LTM Policy(Local Traffic -> Policy) for such purpose. There are SOL arcitles that explain the topic.

    If you want to use an iRule:

    when HTTP_REQUEST {

  if { [HTTP::host] == "1.1.1.1" }{
    reject  If you want to send TCP-RST as a response (Connection has been reset error will occur)
    TCP::close  If you want to drop the request (Timeout will occur)    
    log local0. "[IP::client_addr] Denied access to <[HTTP::host][HTTP::uri]>"
  }
}
    • formiarevo_2065's avatar
      formiarevo_2065
      Icon for Nimbostratus rankNimbostratus
      Jun 15, 2015
      Wow~ Good Answer! I tested LTM Policy as you said. So easy. Thanks Hannes, Mia.