iRule - conflicting with IE

Question

I have the following iRule which inserts headers for HSTS, checks 2 data group lists for "referer_check_filetypes" and "referer_allowed_hosts" - those are simply our websites and PDF file types which essentially allow the browser to download a PDF once a user is logged in, as long as they come from a website on the allowed hosts data group list. This iRule also forces SSL traffic.&nbsp;The issue we are experiencing is - when a user visits a page, they login, and a download is supposed to immediately happen. With this code, in Internet Explorer ONLY, a new tab opens up and the website's homepage is displayed. On the previous tab, the user is allowed to download the PDF.&nbsp;If I remove the referrer and file type checks within HTTP_REQUEST, everything works as designed. What's supposed to happen is - a new tab pops up and immediately closes, resulting in the PDF being downloaded.&nbsp;Without this code, the problem is that it results in people downloading PDFs without being logged in if they come from a search engine such as Google after performing a Google search for PDFs that were indexed on our websites. The expected behavior when a user tries to download a PDF via a Google search, they're redirected back to the homepage of the domain that was requested.&nbsp;site:ourwebsite.com filetype:pdf&nbsp;I've tried changing HTTP::respond 302 "Location" to HTTP::redirect, however that results in a "This page could not be displayed"&nbsp;Any ideas why a tab would pop up, and not disappear, confusing the user because they don't know their download link is on the previous tab?&nbsp;when RULE_INIT {
   set static::expires [clock scan 20110926]
}
when HTTP_RESPONSE {
   HTTP::header insert "Strict-Transport-Security" "max-age=15552000; includeSubDomains"
}
when HTTP_REQUEST {
    set refer_host [string tolower [URI::host [HTTP::header Referer]]]
    if { ( [class match [HTTP::path] ends_with referer_check_filetypes] ) and 
        ( not [class match $refer_host contains referer_allowed_hosts] ) } {
       log local0. "[IP::client_addr]:[TCP::client_port]: hotlink detected from Referer: $refer_host for [HTTP::host][HTTP::uri]"
      HTTP::respond 302 "Location" "http://[HTTP::host]" Cache-Control No-Cache Pragma No-Cache
    }    
    if {([string tolower [HTTP::host]] starts_with "www.")} {
        HTTP::redirect "https://[string range [HTTP::host] 4 end][HTTP::uri]"
        return
    } elseif { [TCP::local_port] == 80 } {
        HTTP::redirect https://[HTTP::host][HTTP::uri]
        return
    }
}

michael_jenkins · Answer

Could you add a little more logging to the iRule to grab the path, referer and then in each of the flows just to track how the request is being handled? That may give a better picture of what's going on.
when RULE_INIT {
   set static::expires [clock scan 20110926]
}
when HTTP_RESPONSE {
   HTTP::header insert "Strict-Transport-Security" "max-age=15552000; includeSubDomains"
}
when HTTP_REQUEST {
    set refer_host [string tolower [URI::host [HTTP::header Referer]]]        
    log local0. ""
    log local0. "Path: '[HTTP::path'"
    log local0. "  Referer Host: '$refer_host'"
    log local0. "  EndsWith referer_check_filetypes: [class match [HTTP::path] ends_with referer_check_filetypes]"
    log local0. "  Contains referer_allowed_hosts: [class match $refer_host contains referer_allowed_hosts]"

if { ( [class match [HTTP::path] ends_with referer_check_filetypes] ) and 
        ( not [class match $refer_host contains referer_allowed_hosts] ) } {
       log local0. "[IP::client_addr]:[TCP::client_port]: hotlink detected from Referer: $refer_host for [HTTP::host][HTTP::uri]"
      log local0. "  Redirect user to home page (http://[HTTP::host])"
      HTTP::respond 302 "Location" "http://[HTTP::host]" Cache-Control No-Cache Pragma No-Cache
      return
    }
    if {([string tolower [HTTP::host]] starts_with "www.")} {
        log local0. "  Host contains WWW. Redirect to 'https://[string range [HTTP::host] 4 end][HTTP::uri]'"
        HTTP::redirect "https://[string range [HTTP::host] 4 end][HTTP::uri]"
        return
    } elseif { [TCP::local_port] == 80 } {
        log local0. "  Local port is 80. Redirect to HTTPS (https://[HTTP::host][HTTP::uri])"
        HTTP::redirect https://[HTTP::host][HTTP::uri]
        return
    }
}

joe_pipitone · Answer

I've commented out the line that is supposed to log referer_check_filetypes, and I'm seeing that the code is doing what it's supposed to - when someone requests a PDF and they're not from an allowed referrer host, it redirects them back to the homepage.&nbsp;Rule /Common/irule-test : Host contains WWW. Redirect to 'https://sitename.com/'
Wed May 20 06:42:16 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Contains referer_allowed_hosts: 0
Wed May 20 06:42:16 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Referer Host: ''
Wed May 20 06:42:16 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Path: '/'
Wed May 20 06:42:16 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test :
Wed May 20 06:41:51 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : Redirect user to home page (http://sitename.com)
Wed May 20 06:41:51 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : Contains referer_allowed_hosts: 0
Wed May 20 06:41:51 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : Referer Host: 'www.google.com'
Wed May 20 06:41:51 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : Path: '/~/media/75CE5AEA5A85436BA819B26CF4CCA849.pdf'

joe_pipitone · Answer

OK - after doing a test I think I see why the additional tab is opening the site's homepage, and staying open.  There doesn't seem to be a valid referrer host, it thinks the referrer is blank.  
User goes to the whitepaper page, login, 2nd tab opened, first tab contains download link.  2nd tab contains homepage only.  This 2nd tab is supposed to open and prompt user for PDF download, then disappear.
Rule /Common/irule-test : Contains referer_allowed_hosts: 0
Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : EndsWith referer_check_filetypes: 0
Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Referer Host: ''
Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Path: '/Home.aspx'
Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test :
Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Contains referer_allowed_hosts: 0
Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : EndsWith referer_check_filetypes: 0
Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Referer Host: ''
Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Path: '/'
Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test :
Wed May 20 10:00:49 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : Local port is 80. Redirect to HTTPS (https://sitename.com/)
Wed May 20 10:00:49 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : Contains referer_allowed_hosts: 0
Wed May 20 10:00:49 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : EndsWith referer_check_filetypes: 0
Wed May 20 10:00:49 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : Referer Host: ''
Wed May 20 10:00:49 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : Path: '/'
Wed May 20 10:00:49 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test :
Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Redirect user to home page (http://sitename.com)
Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Contains referer_allowed_hosts: 0
Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : EndsWith referer_check_filetypes: 1
Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Referer Host: ''
Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Path: '/~/media/CE0AD0D9B8FC48A5B247FC102D6A27A0.pdf'
Wed May 20 10:00:49 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test :
Wed May 20 10:00:48 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Contains referer_allowed_hosts: 1
Wed May 20 10:00:48 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : EndsWith referer_check_filetypes: 0
Wed May 20 10:00:48 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Referer Host: 'sitename.com'
Wed May 20 10:00:48 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Path: '/whitepapers/2015/05/page-path/asset.aspx'
Wed May 20 10:00:48 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test :
Wed May 20 10:00:47 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Contains referer_allowed_hosts: 1
Wed May 20 10:00:47 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : EndsWith referer_check_filetypes: 0
Wed May 20 10:00:47 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Referer Host: 'sitename.com'
Wed May 20 10:00:47 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Path: '/login/login.aspx'
Wed May 20 10:00:47 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test :
Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Contains referer_allowed_hosts: 1
Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : EndsWith referer_check_filetypes: 0
Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Referer Host: 'sitename.com'
Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Path: '/design/fonts/314569/F77AE15C55FAFC3C5.css'
Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test :
Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Contains referer_allowed_hosts: 0
Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : EndsWith referer_check_filetypes: 0
Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Referer Host: ''
Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Path: '/login/login.aspx'
Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test :
Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Contains referer_allowed_hosts: 0
Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : EndsWith referer_check_filetypes: 0
Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Referer Host: ''
Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Path: '/whitepapers/2015/05/page-path/asset.aspx'
Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test :
Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Contains referer_allowed_hosts: 0
Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : EndsWith referer_check_filetypes: 0
Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Referer Host: ''
Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Path: '/whitepapers/2015/05/page.aspx'
Wed May 20 10:00:39 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test :
Wed May 20 10:00:39 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : Local port is 80. Redirect to HTTPS (https://sitename.com/whitepapers/2015/05/page.aspx)
Wed May 20 10:00:39 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : Contains referer_allowed_hosts: 0
Wed May 20 10:00:39 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : EndsWith referer_check_filetypes: 0
Wed May 20 10:00:39 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : Referer Host: ''
Wed May 20 10:00:39 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test : Path: '/whitepapers/2015/05/page.aspx'
Wed May 20 10:00:39 PDT 2015    info    1600A   tmm1[10278]     Rule /Common/irule-test :

Download PDF only
Rule /Common/irule-test : Contains referer_allowed_hosts: 1
Wed May 20 10:03:58 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : EndsWith referer_check_filetypes: 1
Wed May 20 10:03:58 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Referer Host: 'sitename.com'
Wed May 20 10:03:58 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test : Path: '/~/media/3397BD0B717641088CD7BEB65879A87C.pdf'
Wed May 20 10:03:58 PDT 2015    info    1600A   tmm[10278]      Rule /Common/irule-test :

michael_jenkins · Answer

How is the page being opened for the pdf download? Javascript, or by user clicking on it?

joe_pipitone · Answer

When a user goes to the page, they are forced to login.  Once they've logged in, the PDF automatically starts the download - javascript window.open function is used.

Forum Discussion

iRule - conflicting with IE

7 Replies

Recent Discussions

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries HA

Related Content

iRULE regsub error

IP Conflict?!

owa iapp assign irule

Irule Trigger two times

iRule assistance for subfolder redirect