F5 BIG-IP - Blocking User-Agent

f5-big-ip-blocking-usser-agent.md

1. iRules

when HTTP_REQUEST {
    # HTTP 요청의 User-Agent 헤더 값을 추출
    set user_agent [HTTP::header "User-Agent"]

    # Data Group에서 User-Agent를 확인
    if { [class match $user_agent contains blocked-user-agents] } {
        # 차단된 User-Agent가 발견되면 403 에러 페이지 반환
        HTTP::respond 403 content {
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <title>403 Forbidden</title>
    <style>
        body {
            background-color: #f9f9f9;
            font-family: Arial, sans-serif;
            text-align: center;
            padding: 50px;
        }
        h1 {
            font-size: 100px;
            margin: 0;
            color: #333;
        }
        p {
            font-size: 24px;
            color: #666;
        }
    </style>
</head>
<body>
    <h1>403</h1>
    <p>Forbidden</p>
    <p>Access to this resource on the server is denied!</p>
</body>
</html>
        }
    }
}

2. Data Group

Name: blocked-user-agents

3. 예상 동작

Oct  1 21:21:57 f5.yongbok.net info tmm1[20498]: Rule /Common/X-Forwarded-For <HTTP_REQUEST>: =============================================
Oct  1 21:21:57 f5.yongbok.net info tmm1[20498]: Rule /Common/X-Forwarded-For <HTTP_REQUEST>: Client xxx.xxx.xxx.xxx:44508 -> www.yongbok.net/favicon.ico (request)
Oct  1 21:21:57 f5.yongbok.net info tmm1[20498]: Rule /Common/X-Forwarded-For <HTTP_REQUEST>: Host: www.yongbok.net
Oct  1 21:21:57 f5.yongbok.net info tmm1[20498]: Rule /Common/X-Forwarded-For <HTTP_REQUEST>: Connection: keep-alive
Oct  1 21:21:57 f5.yongbok.net info tmm1[20498]: Rule /Common/X-Forwarded-For <HTTP_REQUEST>: sec-ch-ua-platform: "Windows"
Oct  1 21:21:57 f5.yongbok.net info tmm1[20498]: Rule /Common/X-Forwarded-For <HTTP_REQUEST>: User-Agent: Custom-AsyncHttpClient
Oct  1 21:21:57 f5.yongbok.net info tmm1[20498]: Rule /Common/X-Forwarded-For <HTTP_REQUEST>: sec-ch-ua: "Google Chrome";v="129", "Not=A?Brand";v="8", "Chromium";v="129"
Oct  1 21:21:57 f5.yongbok.net info tmm1[20498]: Rule /Common/X-Forwarded-For <HTTP_REQUEST>: sec-ch-ua-mobile: ?0
Oct  1 21:21:57 f5.yongbok.net info tmm1[20498]: Rule /Common/X-Forwarded-For <HTTP_REQUEST>: Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Oct  1 21:21:57 f5.yongbok.net info tmm1[20498]: Rule /Common/X-Forwarded-For <HTTP_REQUEST>: Sec-Fetch-Site: same-origin
Oct  1 21:21:57 f5.yongbok.net info tmm1[20498]: Rule /Common/X-Forwarded-For <HTTP_REQUEST>: Sec-Fetch-Mode: no-cors
Oct  1 21:21:57 f5.yongbok.net info tmm1[20498]: Rule /Common/X-Forwarded-For <HTTP_REQUEST>: Sec-Fetch-Dest: image
Oct  1 21:21:57 f5.yongbok.net info tmm1[20498]: Rule /Common/X-Forwarded-For <HTTP_REQUEST>: Referer: https://www.yongbok.net/blog/
Oct  1 21:21:57 f5.yongbok.net info tmm1[20498]: Rule /Common/X-Forwarded-For <HTTP_REQUEST>: Accept-Encoding: gzip, deflate, br, zstd
Oct  1 21:21:57 f5.yongbok.net info tmm1[20498]: Rule /Common/X-Forwarded-For <HTTP_REQUEST>: Accept-Language: ko,en-US;q=0.9,en;q=0.8,zh-CN;q=0.7,zh;q=0.6
Oct  1 21:21:57 f5.yongbok.net info tmm1[20498]: Rule /Common/X-Forwarded-For <HTTP_REQUEST>: Cookie: TS017698a5028=014c848aa54223841b783482c0a41d5dae680612ddfb38a65b9144207c15047a1031498e7f53ee729f00880e757f25a19ed1a76890; TS017698a5=01588602e573c0360e82829ac0764833f3bc1d83de5b5747126b933329a4e1647851aed6ef7af8e30f7340add31a08480e83af4983
Oct  1 21:21:57 f5.yongbok.net info tmm1[20498]: Rule /Common/X-Forwarded-For <HTTP_REQUEST>: X-Forwarded-For: xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx
Oct  1 21:21:57 f5.yongbok.net info tmm1[20498]: Rule /Common/X-Forwarded-For <HTTP_REQUEST>: =============================================
Oct  1 21:21:57 f5.yongbok.net info tmm1[20498]: Rule /Common/request-csrf-ssrf-cors-deny <HTTP_REQUEST>: X-Forwarded-For has 2 entries: xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx