NimbostratusHi
There is a requirment to write an iRule for below
To capture HTTP header of each request and only allow them if it has valid DNS header host section
Will below work?
Data-Group
class Valid_DNS { "abc.com" "efg.com" }
when HTTP_REQUEST { if { [matchclass [HTTP::host] equals $::Valid_DNS] } {
return } else{ reject } }
The
matchclassclass matchhttps://devcentral.f5.com/questions/request-url-matching-by-data-group
CumulonimbusYou should be able to do this in a LTM Policy which would likely be more effective for a small number for FQDN's
LTM Policies Getting Started 12.1.0
NimbostratusUnfortunately below iRule is not executing and generating TCL errors
when HTTP_REQUEST { if { [class match [HTTP::host] equals $::Valid_DNS] } {
accept } else { drop }
} My requirement is to mitigate host header redirection attacks (HTTP redirection protection), I'm running on 11.6.2 HF1, unfortunately not having ASM licence.
Any idea how can I achieve above using data-group and irule.
Like I said earlier the syntax has changed. This also applies to the use of external classes. In your case, create a datagroup Valid_DNS via the WebUI. And use an iRule like this:
when HTTP_REQUEST {
if { not [class match [HTTP::host] equals Valid_DNS] } {
drop
}
}