Forum Discussion

Kai_M__48813's avatar
Kai_M__48813
Icon for Cirrus rankCirrus
Apr 13, 2016

problems with data group and http:host

hi,

 

i have set up a forward http proxy, using the irule provided in Devcentral(current version 3.2), which works quite well. But due to security demands, i need to limit outgoing requests to only approved hosts, which has proved to be a bit more challenging than first anticipated.

 

what i have done, is to create a data group, containing the approved domains that can be reached, and added the following to the proxy irule:

 

if { not [matchclass [string tolower [HTTP::host]] ends_with data_group] } { reject } }

 

so the thought is to only allow domains and subdomains that is in the data group, but we are not getting the results we want. if i change the operator from "ends_with" to "contains", it will work, but that will leave us more open to exploits, as we cannot be sure the request goes to a valid host.

 

is there something im missing here, as i thought that HTTP::host would be http:// and not inlude anything from the uri.. if there are any suggestions on how to get this to work as intended, it would be much appriciated!

 

data group list
ends_with
http::host
iRules
LTM
proxy
security

9 Replies

Sort By
  • Vernon_97235's avatar
    Vernon_97235
    Historic F5 Account
    Apr 13, 2016

    matchclass
    is deprecated in favor of class. Can you try the same, but using 
    class
    as follows:

    if { [class match [string tolower [HTTP::host]] ends_with data_group] } { reject }

    and see if that makes a difference?

    • Kai_M__48813's avatar
      Kai_M__48813
      Icon for Cirrus rankCirrus
      Apr 13, 2016
      hi.. i have now updated the irule to the following: if { not [class match [string tolower [HTTP::host]] ends_with data_group] } { reject } but this is still not working for requests that also include a subdomain. the request being sent from the server is api..xx/, but this fails. if we open a browser on the server and go straight to https://, it gets through. this indicates that at least some parts of the irule is working, but it fails to send a request through if it is including a subdomain as well...unless im missing something here also, as this is a proxy, it uses 8080.. does this get attached to the host header? if so, it will probably cause issues with "ends_with"
  • VernonWells's avatar
    VernonWells
    Icon for Employee rankEmployee
    Apr 13, 2016

    matchclass
    is deprecated in favor of class. Can you try the same, but using 
    class
    as follows:

    if { [class match [string tolower [HTTP::host]] ends_with data_group] } { reject }

    and see if that makes a difference?

    • Kai_M__48813's avatar
      Kai_M__48813
      Icon for Cirrus rankCirrus
      Apr 13, 2016
      hi.. i have now updated the irule to the following: if { not [class match [string tolower [HTTP::host]] ends_with data_group] } { reject } but this is still not working for requests that also include a subdomain. the request being sent from the server is api..xx/, but this fails. if we open a browser on the server and go straight to https://, it gets through. this indicates that at least some parts of the irule is working, but it fails to send a request through if it is including a subdomain as well...unless im missing something here also, as this is a proxy, it uses 8080.. does this get attached to the host header? if so, it will probably cause issues with "ends_with"
  • Vernon_97235's avatar
    Vernon_97235
    Historic F5 Account
    Apr 13, 2016

    Indeed it will. To solve that problem, this should do the trick:

    if { [class match [string tolower [getfield [HTTP::host] : 1]] ends_with data_group] } { reject }
    • Kai_M__48813's avatar
      Kai_M__48813
      Icon for Cirrus rankCirrus
      Apr 13, 2016
      initial tests are showing that the irule is now working as intended! the last change made all the difference...after reading up on non standard ports being added to the host, it was a matter of finding a solution for this...if all goes as planned, this will be a lifesaver for me! thanks for the help:)
  • VernonWells's avatar
    VernonWells
    Icon for Employee rankEmployee
    Apr 13, 2016

    Indeed it will. To solve that problem, this should do the trick:

    if { [class match [string tolower [getfield [HTTP::host] : 1]] ends_with data_group] } { reject }
    • Kai_M__48813's avatar
      Kai_M__48813
      Icon for Cirrus rankCirrus
      Apr 13, 2016
      initial tests are showing that the irule is now working as intended! the last change made all the difference...after reading up on non standard ports being added to the host, it was a matter of finding a solution for this...if all goes as planned, this will be a lifesaver for me! thanks for the help:)
  • THi's avatar
    THi
    Icon for Nimbostratus rankNimbostratus
    Apr 13, 2016

    What does your datagroup look like? You could add a logging line into your iRule to see what the HTTP::host value is and compare with your datagroup value. Are your requests using non standard ports, ie not 80/443? HTTP:host contains the port in those cases, eg example.com:8080, which may confuse the ends_with comparison. 

    log local0. "HTTP Host is: [HTTP::host]"

    Instead of HTTP::host in the you might use URI::host command with HTTP::host as parameter. URI::host does not return the protocol portion of the Host header. Note that URI::host requires a a parameter string from where it parses the host portin. Haven't tested it, though..see iRule wiki on those.