Forum Discussion

vaibhav's avatar
vaibhav
Icon for Cirrostratus rankCirrostratus
May 21, 2011

Referer header is not reaching to the webservers

 

 

 

 

The problem Scenario is, we have to block any external request to a web server unless it’s a 302 redirect request from our App server. While trying to achieve it we referred the Web server log and we understood web server is not receiving “Referer” header and so it’s not logging the “Referer” the VIP for this configured on the load balancer.

 

 

 

As we have only option is to use “Referer” to achieve our requirement.

 

 

 

So is there is any option on the load balancer to have the referer logging enabled on the vip or anywhere .any option by which we can forward the information to web servers.

 

 

 

 

management
monitoring

5 Replies

Sort By
  • vaibhav's avatar
    vaibhav
    Icon for Cirrostratus rankCirrostratus
    May 22, 2011
    hey guys... can any one tell me any solution about my question....
  • Mike_Kahler_488's avatar
    Mike_Kahler_488
    Historic F5 Account
    May 23, 2011
    You may want to look on AskF5 for SOL2167. They have several examples at the bottom of the document using the Referer header. May sure you choose the example based on the O/S version you are currently running.

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    May 23, 2011
    Mike, that solution is for how to configure a monitor. I think vaibhav is concerned about the load balanced traffic.

     

     

    vaibhav, LTM shouldn't modify the referer header or any other HTTP header in requests unless you specifically configure an iRule to do so. Can you use a browser plugin like HttpFox or Fiddler to test this and see if the client is sending a Referer header in requests?

     

     

    Is the redirect being sent from HTTPS to an HTTP URL? If so, most browsers will not send the Referer header as a security precaution. Also, keep in mind it is very simple for a malicious client to insert any HTTP header name/value they want. So the referer header is not a secure method for restricting access. Here are a few ways you could spoof the Referer header:

     

     

    http://tamperdata.mozdev.org/

     

    https://addons.mozilla.org/en-US/firefox/addon/refspoof/

     

    http://referer.us/Spoof-HTTP-Referer.html

     

    http://stackoverflow.com/questions/3104647/how-to-spoof-http-referer

     

     

    If you want to ensure a client has come from one site it would be better to use an encrypted token in the URL (or cookie if the two URLs are on the same domain) which could be verified.

     

     

    Aaron