Forum Discussion

xbox360_255194's avatar
xbox360_255194
Icon for Nimbostratus rankNimbostratus
Mar 22, 2016

Best way to deny access to URL

I have VIP Dallas. This VIP has a pool member of 10.1.1.1. I have another VIP NY. This VIP has pool member 10.2.1.1. VIP NY has 2 uri: NYC and Albany. On server 10.1.1.1, there are 2 links: https://ny.abc.com/nyc and https://ny.abc.com/albany. The requirement is only allow access to VIP NY via these links. Clients cannot access VIP NY directly. On VIP NY, I tried to filter based on cookie and referer. Both did not work. Any suggestions?

 

iRules
LTM
security

4 Replies

Sort By
  • Josiah_39459's avatar
    Josiah_39459
    Historic F5 Account
    Mar 22, 2016

    Assuming all the links in those applications are prefaced with those uris:

    when HTTP_REQUEST {
  if { !(([string tolower [HTTP::uri]] starts_with '/nyc') || ([string tolower [HTTP::uri]] starts_with '/albany')) } {
    HTTP::respond 403
  }
}
    • EastCoast_16835's avatar
      EastCoast_16835
      Icon for Nimbostratus rankNimbostratus
      Mar 22, 2016
      I would recommend to be careful when using iRules for security purposes like URL authorization. If URL parts are encoded this rule can be easily bypassed. You would need either to decode the URL properly (may require multiple rounds) or to use ASM signatures that do perform this decoding automatically. UPDATE: I think there is also a possibility to use ASM "Allowed URL" feature with the action "Block". Not sure whether it does URL decoding though.
    • Josiah_39459's avatar
      Josiah_39459
      Historic F5 Account
      Mar 22, 2016
      Yes, ASM is probably the best answer if there is a security concern, and not just a programmatic exercise.