http referer iRule assistence

Question

I have the below iRule. I want to modify it so that if users insert images into the docs via the browser, the connection doesn't break. It breaks because the images are coming from their local systems and not from sharepoint. I haven't been able to think of anything dynamic. I.E., if the user inserts different types of images(jpeg, giff, etc...), videos, etc.&nbsp;
when RULE_INIT {
     user-defined: enable/disable debug (1/0)
    set static::ref_debug 0
}
when HTTP_REQUEST {
     This iRule will check the HTTP referer to make sure the &nbsp;
traffic arriving at the OWA is in-fact coming from Sharepoint.
      if { not ( [HTTP::uri] contains "/favicon" ) } {
        if { $static::ref_debug } { log local0. "Incoming &nbsp;
referer: [HTTP::header Referer]" }
        switch -glob [string tolower [HTTP::header Referer]] {
            "https://sharepoint/*" {
                if { $static::ref_debug } { log local0. "From &nbsp;
allowed referer - allow" }
                return
            } 
            "https://OWA/*" {
                if { $static::ref_debug } { log local0. "local &nbsp;
domain - allow" }
                return
            }
            default {
                if { $static::ref_debug } { log local0. "from &nbsp;
disallowed referer - redirect" }
                HTTP::redirect [HTTP::header Referer]
            }
        }
    }
}&nbsp;

kai_wilke · Answer

Hi Sonny,
you could simply add an additional whitelist for problematic web pages (e.g. upload page)...
when HTTP_REQUEST {

This iRule will check the HTTP referer to make sure the traffic arriving at the OWA is in-fact coming from Sharepoint.

if { not ( [HTTP::uri] contains "/favicon" ) } { 
        if { $static::ref_debug } { log local0. "Incoming referer: [HTTP::header Referer]" } 
        switch -glob [string tolower [HTTP::header Referer]] { 
            "https://sharepoint/*" { 
                if { $static::ref_debug } { log local0. "From allowed referer - allow" } 
                return 
            } 
            "https://OWA/*" { 
                if { $static::ref_debug } { log local0. "local domain - allow" } 
                return 
            } 
            default {
                if { $static::ref_debug } { log local0. "from disallowed referer - redirect" }
                switch -glob -- [string tolower [HTTP::uri]] {
                    "*upload.aspx*" - \
                    "*attachment.aspx*" - \
                    "*somepage.aspx*" - \
                    "*whitelist.aspx*" {
                        if { $static::ref_debug } { log local0. "Explicitly whitelisted URL - allow" }
                        return
                    } 
                    default {
                        HTTP::redirect [HTTP::header Referer] 
                    }
                }
            } 
        } 
    } 
}

Cheers, Kai

sonny · Answer

Thanks for the suggestion Kai. However, it didn't work. The .aspx pages are accounted for with the "https://sharepoint/" and "https://OWA/", right?&nbsp;

sonny · Answer

If you use _._, it works!&nbsp;
switch -glob -- [string tolower [HTTP::uri]] {
                    "_._" {
                        if { $static::ref_debug } { log local0. "Explicitly whitelisted URL - allow" }
                        return
                    }&nbsp;
Hmm, the "star.star" doesn't show up on DevCentral.&nbsp;

Forum Discussion

http referer iRule assistence

3 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Assistance with iRule using port ranges

Cloud Docs - F5OS Technical Reference Materials

iRule to assist with CVE-2022-22965 mitigation

Re: Welcome to the F5 BIG-IP Migration Assistant

Requesting Assist with iRule Please