Help with Migrating Netscaler Rewrite Policy to F5 LTM

For expediency, this seems like a good task for gen AI.

Me:

As an expert and helpful Netscaler administrator, you've been tasked with figuring out how the old administrator configured an app. This rewrite rule is in place:

```
rewrite policy Delete_Body-policy "http.RES.FULL_HEADER.CONTAINS(\"HTTP/1.1 404\")" Delete_Body_action  
add rewrite action Delete_Body_action delete "http.res.body(40000)"
```

The application security team needs to understand what this rewrite rule is doing. Please analyze the rewrite rule and explain what the HTTP response would look like on the wire before and after the rule has executed.

 

------------------

GPT-4o:

Sure, I'd be happy to help analyze this rewrite rule and explain its impact on the HTTP response.

### What the Rewrite Rule Does

The rewrite rule consists of a policy and an action, which are designed to interact with HTTP responses in specific ways.

1. **Policy:**
    - **Policy Name:** `Delete_Body-policy`
    - **Condition:** `http.RES.FULL_HEADER.CONTAINS("HTTP/1.1 404")`
      
    This condition checks if the HTTP response header contains the string "HTTP/1.1 404". This string indicates a 404 Not Found response from the server.

2. **Action:**
    - **Action Name:** `Delete_Body_action`
    - **Type of Action:** `delete`
    - **Target:** `"http.res.body(40000)"`

    The action is to delete up to 40,000 bytes of the response body. This essentially removes the body of the HTTP response if the condition specified in the policy is met.

### HTTP Response Before the Rule Execution

Before this rewrite rule executes, an HTTP 404 response might look like this:

```
HTTP/1.1 404 Not Found
Date: Tue, 10 Oct 2023 14:00:00 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Type: text/html; charset=UTF-8
Content-Length: 345

<!doctype html>
<html>
<head>
    <title>404 Not Found</title>
</head>
<body>
    <h1>Not Found</h1>
    <p>The requested URL was not found on this server.</p>
</body>
</html>
```

### HTTP Response After the Rule Execution

After the rewrite rule executes, the body of the HTTP 404 response will be deleted. The response might look like this:

```
HTTP/1.1 404 Not Found
Date: Tue, 10 Oct 2023 14:00:00 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Type: text/html; charset=UTF-8
Content-Length: 0

```

### Explanation

- The `rewrite policy Delete_Body-policy` checks if the HTTP response is a 404 Not Found response.
- If the condition is true, the `rewrite action Delete_Body_action` is triggered, which deletes up to 40,000 bytes of the response body.
- As a result, the response body is removed, and the `Content-Length` header is updated to 0, indicating that there is no body content.

### Impact

This rewrite rule can be useful for enhancing security or reducing bandwidth by ensuring that no information is leaked in the body of 404 responses. It ensures that when a resource is not found, only the status and headers are sent back to the client, without any additional details that might be included in the response body.

I hope this helps clarify what the rewrite rule is doing! If you have any more questions or need further assistance, feel free to ask.

 

---------------------

So, how can we do this on BIG-IP?

BIG-IP has a streaming-oriented architecture, and we don't as easily have access to the HTTP body because it doesn't buffer, as it seems like Netscaler might. It's usually more performant to avoid dealing with the body altogether.

 

Here's a code sample that covers this "404 masking" use case:

File Not Found Handler | DevCentral

 

The difference between the Netscaler and the BIG-IP is that the BIG-IP will completely hide the server response and replace it with its own. The Netscaler would keep the original server response headers. There may be some reason to preserve the headers in your application, but that's probably unlikely.

If you need to preserve all the original headers and ONLY delete the body, this can also be accomplished, but the performance will be worse and the iRule will be more complicated.