Forum Discussion

nathe's avatar
nathe
Icon for Cirrocumulus rankCirrocumulus
Aug 20, 2012

Block Direct Access to website

Afternoon,

 

 

I could do with a bit of guidance please.

 

 

I have a front end webserver, load-balanced on LTM, and a link on this webserver to another external facing webserver, also load-balanced.

 

 

What I'd like to do is block direct access to the second webserver so it's only accessible to those people who have clicked the link on the first webserver, rather than allowing direct access to it.

 

 

After looking at the iRules 101 Security post I've come up with this iRule using the Referer, is this the best and cleanest way of achieving what I'm after?

 

 

Thanks

 

N

 

 

when HTTP_REQUEST {

 

switch -glob [HTTP::header "Referer"] {

 

"*www.mywebsite.com/*"

 

"*www.contentwebsite.com/*" {

 

Allow Request to go through...

 

}

 

"" {

 

HTTP::respond 200 content ""

 

log local0 "Blank Referer from IP: [IP::client_addr]"

 

}

 

default {

 

HTTP::redirect [HTTP::header "Referer"]

 

log local0 "Blocked Referer: [HTTP::header value Referer] from IP: [IP::client_addr]"

 

}

 

}

 

}

 

 

 

 

application delivery
dev
devops
iRules

4 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Aug 20, 2012
    i think referer header may be available on only page which is linked from the front-end web server i.e. not every page or component in the page of the 2nd web server. so, should it be checked on specific url only?
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Aug 20, 2012
    Thanks for the reply nitass,

     

     

    I'd want the whole server inaccessible and there's only 1 URL on the server. From testing I see the referrer as either the first front end server or itself, which is why in the iRule I've added the check for www.contentwebsite.com also. I will do some further testing on this though to confirm.

     

     

    Thanks again.

     

     

    N
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Aug 20, 2012
    The Referer header will start with a protocol like http:// or https://. You could try something like this to be more specific: 

    
when HTTP_REQUEST {
  switch -glob [string tolower [URI::host [HTTP::header "Referer"]]] {
    "www.mywebsite.com"
    "www.contentwebsite.com" {
       Allow Request to go through...
    }
    "" {
      HTTP::respond 200 content ""
      log local0 "Blank Referer from IP: [IP::client_addr]"
    }
    default {
      HTTP::redirect [HTTP::header "Referer"]
      log local0 "Blocked Referer: [HTTP::header value Referer] from IP: [IP::client_addr]"
    }
  }
}

    Aaron
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Aug 20, 2012
    Hoolio,

     

     

    Nice tweak - much appreciated.

     

     

    N