For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Joel_41531's avatar
Joel_41531
Icon for Nimbostratus rankNimbostratus
May 27, 2009

Blocking insecure log-in page

We terminate https on the F5, and pass traffic to the web apps on port 80. Consequently, I have an interesting problem. I have a log-in page (/store/user/login.jhtml) that should only be accessed via ...
app sec
BIG-IP Access Policy Manager (APM)
security
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Dec 28, 2010
Hi Tacobell,

You can insert a custom HTTP header on the HTTPS VS with a custom HTTP profile that has the header to remove set to X-HTTPS and the header to insert set to 'X-HTTPS: 1'. On the HTTP VS, you could do the same with the header to insert's value set to 0. 


 HTTP profile for the HTTP virtual server
profile http http_profile_https_0 {
   defaults from http
   header insert "X-HTTPS: 0"
   header erase "X-HTTPS"
}
 HTTP profile for the HTTPS virtual server
profile http http_profile_https_1 {
   defaults from http
   header insert "X-HTTPS: 1"
   header erase "X-HTTPS"
}

Aaron