F5

Using F5 BIG-IP iRules to Restrict Access via Specific Domain

Let's use iRules to make sure our endusers are browsing to our services using the proper FQDN(s)/domain(s).

1 min read

This title isn't great...  Let me explain.

Problem

When hosting services externally, it is always important for them to be as secure as possible. With our DMZ services, we have A records in our DNS for them which, of course, end with our domain. Unfortunately, our ISP also adds A records into their DNS for our external IPs. If someone were to browse to one of these FQDNs presented by our ISP, they would reach the service and be prompted with an SSL certificate validation error (since the FQDN does not match the FQDN that the SSL certificate was generated for).

Due to this, we want to write an iRule that will prevent users from accessing our services when not browsing to the proper FQDN.

Solution

The following iRule solved it for us. It is a simple solution but, you can adapt it to your needs. Do not forget to apply the iRule to your virtual servers afterward (Virtual Servers > Resources > iRules).


when HTTP_REQUEST {
    if { !([HTTP::host] contains ".example.com") } {
       reject
    }
}

After applying, test it out. For this example, the following should occur:

  • Browsing to taco.example.com should work
  • Browsing to subnet.isp.com should not work

Additional Resources

Related Articles

F5

F5 BIG-IP SOL#10636 (Disk Full)

When trying to upgrade our F5 BIG-IP today, I ran into SOL#10636 which equates to "out of space." While the official docs told me how to delete the failed install, it did not tell me how to create a new volume where I could retry the install. Here's what to do if you hit this error!

Tyler Wright


Follow