Forum Discussion

gh0std0g_79292's avatar
gh0std0g_79292
Icon for Nimbostratus rankNimbostratus
Feb 22, 2012

iRule to hide internal URL from users

the thing i'm trying to accomplish is that once an external user gets to their /pages/morepages/sales.aspx page, they cannot go up to a higher level in the domain... I'm not sure what the best way to do this is... I have the ASM module so I'm guessing I'll need some form of filter. I also wouldn't mind hiding the URI from the user, so all they see is external.domain.com wherever they go... anyway, i'm sure this is a topic for another forum..

so first and foremost, i'm having trouble getting the 1st piece taken care of... with an iRule to get the redirect and/or rewrite to take place... i'm a noob and this is my 1st post. i'm on v11, APM & ASM and am going to a training class next week, just trying to get some tasks accomplished prior...

 

 

i'm guessing i'll need a redirect or host replacement for incoming traffic, and then some kind of rewrite on the response to the client because internal.domain.com is not in public dns? I'm hoping the rewrite will take care of relative URLs?...

 

 

 

thanks...

 

 

 

 

  • Hi,

     

     

    Are you trying to restrict access for security reasons or to mask the internal hostname? If the latter, you can use the ProxyPass iRule to present an external hostname (and/or URI) and use an internal hostname (and/or URI) for the pool.

     

     

    http://devcentral.f5.com/wiki/iRules.proxypassv10.ashx

     

     

    Aaron
  • Yes, we have to restrict access for security reasons... So external users should only be able to get to URIs below their 'sales' page:

     

    /pages/morepages/sales.aspx

     

     

    But i would prefer not to publish the internal hostname and/or URI to the public.

     

  • Sorry I missed your reply here. It's not really feasible (read: effective and efficient) to use iRules to do directory restrictions for IIS, due to the number of ways that IIS accepts URIs. See this post for examples of why:

     

     

    https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/30900/showtab/groupforums/Default.aspx31324

     

     

    The ProxyPass iRule will allow you to proxy requests to an internal URL and path, but won't restrict who can request which URIs.

     

     

    Aaron
  • And I forgot to mention, ASM is an effective way to enforce path restrictions. ASM is able to normalize the different encoding methods a malicious user could try to bypass restrictions with. It should be fairly straightforward to do this within ASM. Note that if you use ProxyPass on an ASM virtual server, the hostnames and/or URIs ASM gets will have already been rewritten by ProxyPass.

     

     

    Aaron