Forum Discussion

Xaveri's avatar
Xaveri
Icon for Nimbostratus rankNimbostratus
Dec 08, 2021

iRule Redirect with URL Masking

Hello,

 

Can someone please tell me if it is possible to achieve the scenario I am trying to accomplish using iRule?

 

We are currently using a SaaS-based application which has a weird URL and it is not easy to remember (e.g. https://214124124.sdsddasd.com:10020). What I am looking to achieve is that when a user enters the URL https://mytestsite, it should be able to redirect to the SaaS-based application without changing the URL in the address bar. It should stay mytestsite.

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus

    The short answer is no... That's a big security hole if it was possible

     

    H

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus

    Of course if you have control over the clients browser you could disable the security and return a page with an iframe that loads the remote site... but that's not a good idea.

  • Xaveri's avatar
    Xaveri
    Icon for Nimbostratus rankNimbostratus

    Hi Hamish. Can you explain how is that a security hole?

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus

    The URL bar is the mechanism by which the user checks to make sure they're accessing the page they thought they were accessing. It should show you the actual pageURL, the certificate in use, whether that's the right cert (trusted) or not etc.

     

    Mess with it at your peril.

     

    Checkout these fun attacks

     

    https://owasp.org/www-community/attacks/Cross_Frame_Scripting

    https://owasp.org/www-community/attacks/Clickjacking

    https://owasp.org/www-community/attacks/csrf

    https://owasp.org/www-community/attacks/xss/

     

    Anything you do to disable the security to allow you to do what you want... Is going to leave you (More) vulnerable to these and other attacks.

     

    Here's why even commercial sites that make their money from redirecting don't support URL masking

     

    https://www.easyredir.com/blog/why-you-should-not-use-url-masking-forwarding-cloaking/

     

    Because it's just not safe...

     

  • Do you own https://mytestsite?

     

    Then, yes, you can do it, but not via a "redirect", it's done via foward proxy. Essentially https://mytestsite is your vip and https://214124124.sdsddasd.com:10020 is your pool.

     

    If you application requires hostheader to be 214124124.sdsddasd.com and not mytestsite to work, then you will need to also modify the host header on the wire. This function may not be needed, it depends on your app, it is a function popularly known as "ProxyPass". You can Google "ProxyPass irule" or alternatively do it with LTM Profiles, if such functionality is required.