Forum Discussion

john4665f5's avatar
john4665f5
Icon for Nimbostratus rankNimbostratus
May 14, 2013

Restrict users from browsing directly to VIP.

Hello,

 

Is it possible to implement an iRule that will restrict access when browsing directly to the virtual server's IP address? For example, when a user browses to http://1.1.1.1 the traffic is dropped; however, browsing to the domain name is acceptable (ie http://mywebsite.com).

 

4 Replies

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    It's not foolproof, but you can check the host: header. A browser will by default put in there whatever was type din the URL for the host. So if they type http://1.1.1.1/ the host header will have host: 1.1.1.1

    
     if { [HTTP::host] ne "mysite.domain.com" } {
       drop
     }
    

    Or do whatever you like (e.g. redirect somewhere else 🙂
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Oh. host: headers aren't mandatory for HTTP/1.0 so this might break some valid clients... (Although I don't know of any browsers that don't insert it).
  • Arie's avatar
    Arie
    Icon for Altostratus rankAltostratus

    You could also check to see if the user used the VIP's IP-address as the host and then drop:

     if { [HTTP::host] equals [IP::local_addr] } {
       drop
     }
    

    That way you can use the same iRule (snippet) on any VIP without worrying about specific allowed hostnames.

  • Absolutely supportable in iRules, but there is more functionality with redirects moving into policy actions in the GUI (or via tmsh) For Hamish's solution, it would look like this:

    ltm policy http.redirects {
        controls { forwarding }
        requires { http }
        rules {
            require_fqdn {
                actions {
                    0 {
                        forward
                        reset
                    }
                }
                conditions {
                    0 {
                        http-host
                        host
                        not
                        values { my.domain.com }
                    }
                }
                ordinal 1
            }
        }
        strategy all-match
    }
    

    Yes, more lines, and doesn't look pretty on the CLI, but multiple redirect rules can be added per policy and managed completely in the system versus requiring coding skills for shops that are leery about coding at the network layer.