Forum Discussion

chuffaker_11557's avatar
chuffaker_11557
Icon for Nimbostratus rankNimbostratus
Jan 17, 2014

iRule to verify request to VIP came via a URL, not an IP

Does anyone know if it's possible to write an iRule to ensure a request to a VIP came from a URL, not an IP.

 

We have and External VIP (DMZ), whose pool membeer is an Internal VIP (Internal), on separate LTM's. We would like to only allow traffic to the VIP if the request came via a URL, not an IP.

 

Reason: Port scans would find that 443 is open on our public IP, and F5 could allow access all the way to the inside environment because of this configuration. Ultimately, I'd like to block the access to the VIP unless the request came from https://.domain.com.

 

Any help or examples of code would be greatly appreciated!

 

APM
application delivery
cloud
design
devops
iRules
security
vmware

4 Replies

Sort By
  • ltwagnon's avatar
    ltwagnon
    Ret. Employee
    Jan 17, 2014

    On the front VIP, you could add this iRule:

    when HTTP_REQUEST {
  if { not ([stringtolower [HTTP::host]] ends_with "domain.com") } {
    reject
  }
}

    This should work as long as anything "domain.com" is acceptable.

  • Jason_40733's avatar
    Jason_40733
    Icon for Cirrocumulus rankCirrocumulus
    Jan 17, 2014

    Yes. Something like this might work. Haven't tested it, but the theory is workable I believe.

     

    Data group of allowed DNS hosts used to verify web address. ltm data-group internal /Common/ALLOWEDDNS { records { www.mycompany.com { } www.mycompany.net { } www.mycompany.org { } } type string }

     

    iRule ltm rule /Common/RULE_NOIPS { when HTTP_REQUEST { if {[matchclass [HTTP::host] equals $::ALLOWEDDNS]} { pool MYWEBPOOL } else { reject } } }

     

    • JRahm_128324's avatar
      JRahm_128324
      Historic F5 Account
      Jan 17, 2014
      logic is sound, but unless the original requestor is on v9, you should avoid matchclass and instead use the class command.