Forum Discussion

Mick39_201768's avatar
Mick39_201768
Icon for Nimbostratus rankNimbostratus
May 12, 2015

Block HTTPS access from specific user agent

Dear community,

 

I want to block HTTPS access from specific user agent(UA). I found this topic following, https://devcentral.f5.com/questions/block-a-user-agent-with-an-irule and I want some idea to arrange this iRule as following. -I want to show "404" to this access and reject to accessing our web server. -I sometime want to allow specific IP address using blocked UA. How can I make such exception?

 

the original one is below.

 

when HTTPS_REQUEST { log local0. "User-Agent:[HTTPS::header "User-Agent"]" if { [string tolower [HTTPS::header "User-Agent"]] == "mozilla/4.0"} { drop log local0. "Rejected request: [IP::remote_addr] User-Agent:[string tolower [HTTPS::header "User-Agent"]] requested [HTTPS::host][HTTP::uri]" } }

 

Thanks in advance for your help, Naoki

 

3 Replies

  • Try this:

    when HTTPS_REQUEST { 
        log local0. "User-Agent:[HTTPS::header "User-Agent"]" 
        if { [string tolower [HTTPS::header "User-Agent"]] == "mozilla/4.0" && !([IP::addr [IP::client_addr] equals 1.1.1.1]) } { 
            drop 
            log local0. "Rejected request: [IP::remote_addr] User-Agent:[string tolower [HTTPS::header "User-Agent"]] requested [HTTPS::host][HTTP::uri]" 
        }
    }
    

    Replace 1.1.1.1 with whatever IP you want to allow. Please note that this rule require an SSL profile and an HTTP profile on the virtual server.

    If you have multiple IP's it might be worth looking into a data group list.

    Good luck!

    /Patrik

  • Patrik, Thank you for your help. I'll try the rule. Could you tell me one more thing?

     

    Is there any simple way to block both HTTP and HTTPS access? Should I have to write similar iRule like "HTTP_REQUEST{..."? If I can integrate two iRules, it really be my help.

     

  • If you're after the same functionality you can use the same rule. Don't mind the HTTP part of "when HTTP_REQUEST". The SSL profile will take care of the "S" in "HTTPS". :)

     

    /Patrik