For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

CPHA_97141's avatar
CPHA_97141
Icon for Nimbostratus rankNimbostratus
Aug 29, 2008

Generic iRule for URL scrubbing

Hi,

 

 

I am new to iRules and was wanted to see if anyone out there has a generic iRule to scrub the contents after a URL. I looked up the forums found credit card / SSN scrubbing but not a generic one....

 

 

ex:

 

 

From:

 

 

https://www.google.com/blahblah.asp?blah=343&blahblah

 

 

In other words anything after the main domain gets scrubbed with no restriction to the number of charaters

 

 

To:

 

 

https://www.google.com/SDSDSAAAA*)@DSADSSDSZZZZZDWEXZW (some junk characters)

 

 

Appreciate anyone's response and guidance...

 

 

 

Thanks,

 

 

VK
application delivery
dev
devops
iRules

4 Replies

  • Patrick_Chang_7's avatar
    Patrick_Chang_7
    Historic F5 Account
    Aug 30, 2008
    We generally recommend using the built-in functionality of our Firepass product to do this.
  • CPHA_97141's avatar
    CPHA_97141
    Icon for Nimbostratus rankNimbostratus
    Aug 30, 2008
    Sure...but is there any possibility to do this with the 6400 series we have with an iRule? Are there any performance issues by implementing it with an iRule on a 6400?
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 31, 2008
    You can do this with an iRule. The performance is something you'll need to test as it depends on a lot of factors such as existing load on the 6400, throughput on the VIP, app response sizes, etc.

     

     

    You can use a stream profile and iRule to perform replacements in the response body. You can check the STREAM::expression wiki page (Click here) for some examples. If you find that you can't determine exactly what strings you want to replace with just a regex, you could use the STREAM_MATCHED event to add additional logic. The last post in this thread has an example I tested (Click here).

     

     

    Aaron
  • Patrick_Chang_7's avatar
    Patrick_Chang_7
    Historic F5 Account
    Sep 03, 2008
    It turns out that when a browser issues a request, the URL displayed will be the URL requested (unless it has been redirected). In order to do what the customer wants, we would need an iRule that would redirect the first request to an encrypted URL. It would then have to decrypt the URL and ask for the real URL on the back end. It would have to find all links (including absolute and relative links) and replace them with encrypted links in the response. It would then have to know to unencrypt all requests (after the first one) to the back end. We would have to have a fixed starting point to enter the app. Entering from any other starting point would break the app. In addition, the TMM hit would be considerable with any type of load.

     

     

    The iRule would look something like this:

     

    when HTTP_REQUEST {

     

    set key "ccb69100758cef9b2bb18d7b1df7118b"

     

    if { [HTTP::uri] equals "/" } {

     

    HTTP::redirect [HTTP::host][AES::encrypt $key [HTTP::uri]]

     

    } else {

     

    HTTP::uri [AES::decrypt $key [HTTP::uri]]

     

    }

     

    }

     

     

    when HTTP_RESPONSE {

     

    set key "ccb69100758cef9b2bb18d7b1df7118b"

     

    need some logic here to scan the HTTP::payload and replace any URI links with AES::encrypt versions of those links

     

    we might be able to go a regex pattern match for href=" until the next "

     

    then loop through the matches doing a regsub for the pattern with the AES::encrypt'ed pattern

     

    get the length of the new payload

     

    then do an HTTP::payload replace 0 $length $newpayload

     

    }

     

     

    Note that the encryption key must be fixed so thatr the rule will still work during a failover or reboot.