Forum Discussion
hiding the cookie name and the encrypt the xserver value
I am trying to :
1) encrypt the xserver cookie value, as its showing the bigip ip address
2) Also trying to hide the cookie names.
The below irules are in the vip in the below order:
1st-- xserver_header_insert_2
2nd--Xframe
the final irule which was attached was "cookie-encryption-final" along with the above two irules. But still we could see the ip address in the xserver cookie value, and the name of the backend server in the cookie name.
Have already tried changing the rule order , but still no luck:
===========irule==xserver_header_insert_2=====================
when HTTP_REQUEST {
if { ([ string length [HTTP::uri] ] <= 1) } {
HTTP::redirect "http://ekanath.das.home.com/psp/pstune/?cmd=login"
} elseif { ([HTTP::cookie exists "Xserver"]) } {
set cookie_exist 0
} else {
set cookie_exist 1
}
}
when HTTP_RESPONSE {
if { $cookie_exist } {
Insert session based cookie with the load balanced server IP and port
HTTP::cookie insert name "Xserver" value "[LB::server addr]:[LB::server port]";
log local0. "XServer [LB::server addr]:[LB::server port]"
}
}
========i rule ===========xframe=================================
when HTTP_RESPONSE {
HTTP::header insert "X-FRAME-OPTIONS" ?(DENY || SAMEORIGIN)?
}
=======i rule =========cookie-encryption-final===========================
when CLIENT_ACCEPTED {
set cookiename1 "PORTAL-PSJSESSIONID"
set cookiename2 "PORTLET-PSJSESSIONID"
set cookiename3 "BIGipServercits_tuning_web-80"
set cookiename4 "Xserver"
set cookiename5 "webserver01-8001-PORTAL-PSJSESSIONID"
set encryption_passphrase "ekanath"
set cookie_encryption_debug 1
}
when HTTP_RESPONSE {
if { [HTTP::cookie exists $cookiename1] } {
HTTP::cookie encrypt $cookiename1 $encryption_passphrase
}
if { [HTTP::cookie exists $cookiename2] } {
HTTP::cookie encrypt $cookiename2 $encryption_passphrase
}
if { [HTTP::cookie exists $cookiename3] } {
HTTP::cookie encrypt $cookiename3 $encryption_passphrase
}
if { $cookie_exist } {
Insert session based cookie with the load balanced server IP and port
HTTP::cookie insert name "Xserver" value "[LB::server addr]:[LB::server port]";
log local0. "XServer [LB::server addr]:[LB::server port]"
}
if { [HTTP::cookie exists $cookiename4] } {
HTTP::cookie encrypt $cookiename4 $encryption_passphrase
if {$cookie_encryption_debug}{log local0. \
"Original error cookie value: [HTTP::cookie value $cookiename4]"}
}
if { [HTTP::cookie exists $cookiename5] } {
HTTP::cookie encrypt $cookiename5 $encryption_passphrase
}
}
when HTTP_REQUEST {
if { [HTTP::cookie exists $cookiename1] } {
set decrypted [HTTP::cookie decrypt $cookiename1 $encryption_passphrase]
if { ($decrypted eq "") } {
Cookie wasn't encrypted, delete it
HTTP::cookie remove $cookiename1
}
}
if { [HTTP::cookie exists $cookiename2] } {
set decrypted [HTTP::cookie decrypt $cookiename2 $encryption_passphrase]
if { ($decrypted eq "") } {
Cookie wasn't encrypted, delete it
HTTP::cookie remove $cookiename2
}
}
if { [HTTP::cookie exists $cookiename3] } {
set decrypted [HTTP::cookie decrypt $cookiename3 $encryption_passphrase]
if { ($decrypted eq "") } {
Cookie wasn't encrypted, delete it
HTTP::cookie remove $cookiename3
}
}
if { [HTTP::cookie exists $cookiename4] } {
set decrypted [HTTP::cookie decrypt $cookiename4 $encryption_passphrase]
if { ($decrypted eq "") } {
Cookie wasn't encrypted, delete it
HTTP::cookie remove $cookiename4
}
}
if { [HTTP::cookie exists $cookiename5] } {
set decrypted [HTTP::cookie decrypt $cookiename5 $encryption_passphrase]
if { ($decrypted eq "") } {
Cookie wasn't encrypted, delete it
HTTP::cookie remove $cookiename5
}
}
if { ([ string length [HTTP::uri] ] <= 1) } {
HTTP::redirect "http://ekanath.das.home.com/psp/pstune/?cmd=login"
} elseif { ([HTTP::cookie exists "Xserver"]) } {
set cookie_exist 0
} else {
set cookie_exist 1
}
}
-------
Thanks,
Ekanath
- ekanathdas_2662NimbostratusCould encrypt the values using the irules "cookie-encryption-final" and "xframe" and removed the irule "xserver_header_insert_2".
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com