Using F5 BIG-IP iRules to Restrict Access via Specific Domain
Let's use iRules to make sure our endusers are browsing to our services using the proper FQDN(s)/domain(s).
This title isn't great... Let me explain.
Problem
When hosting services externally, it is always important for them to be as secure as possible. With our DMZ services, we have A records in our DNS for them which, of course, end with our domain. Unfortunately, our ISP also adds A records into their DNS for our external IPs. If someone were to browse to one of these FQDNs presented by our ISP, they would reach the service and be prompted with an SSL certificate validation error (since the FQDN does not match the FQDN that the SSL certificate was generated for).
Due to this, we want to write an iRule that will prevent users from accessing our services when not browsing to the proper FQDN.
Solution
The following iRule solved it for us. It is a simple solution but, you can adapt it to your needs. Do not forget to apply the iRule to your virtual servers afterward (Virtual Servers > Resources > iRules).
when HTTP_REQUEST {
if { !([HTTP::host] contains ".example.com") } {
reject
}
}
After applying, test it out. For this example, the following should occur:
- Browsing to taco.example.com should work
- Browsing to subnet.isp.com should not work