benoit_9199
Jan 16, 2018Nimbostratus
Blacklisting HTTP Trafic iRule "leak" some matching requests to the backend servers
Hi,
Suddenly having the need to add some per-referer filtering capabilities to our setup i created the following iRule, based on our IP blacklist iRules:
when HTTP_REQUEST {
Check if referer is in blacklist Datagroup
if { [class match [HTTP::header "Referer"] contains _phx_referer_blacklist] }{
pool _pool_empty
persist none
event disable all
HTTP::respond 403 content "Unauthorized Access" "Content-Type" "text/html" "Connection" "close"
TCP::close
Uncomment the line below to turn on logging.
log local0. "Blacklisted Referer [HTTP::header "Referer"] for client IP: [IP::client_addr] '[HTTP::method] [HTTP::host][HTTP::uri]' - discarding"
}
}
The iRule correctly match and discard 90% of the requests like this:
Jan 16 16:35:18 lb1 info tmm[19473]: Rule /Common/_rule_phx_http_referer_blacklist : Blacklisted Referer http://www.a2r-media.com/boost/afficheframe.php for client IP: 158.169.xx.yy 'GET ' - discarding
However some requests does find a way to the backends servers.
130.79.yy.xx - - [16/Jan/2018:16:46:48 +0100] "GET / HTTP/1.1" 200 36229 "; "Mozilla/5.0 (Windows NT 6.1; rv:49.0) Gecko/20100101 Firefox/49.0"
I am a bit puzzled, how could this be possible ...