Forum Discussion

ekanathdas_2662's avatar
ekanathdas_2662
Icon for Nimbostratus rankNimbostratus
May 10, 2012

hiding the cookie name and the encrypt the xserver value

Hi team,

I am trying to :

 

1) encrypt the xserver cookie value, as its showing the bigip ip address

 

2) Also trying to hide the cookie names.

 

 

 

The below irules are in the vip in the below order:

 

1st-- xserver_header_insert_2

 

2nd--Xframe

 

 

 

the final irule which was attached was "cookie-encryption-final" along with the above two irules. But still we could see the ip address in the xserver cookie value, and the name of the backend server in the cookie name.

 

 

 

Have already tried changing the rule order , but still no luck:

 

 

 

===========irule==xserver_header_insert_2=====================

 

when HTTP_REQUEST {

 

if { ([ string length [HTTP::uri] ] <= 1) } {

 

HTTP::redirect "http://ekanath.das.home.com/psp/pstune/?cmd=login"

 

} elseif { ([HTTP::cookie exists "Xserver"]) } {

 

set cookie_exist 0

 

} else {

 

set cookie_exist 1

 

}

 

}

 

 

 

when HTTP_RESPONSE {

 

if { $cookie_exist } {

 

Insert session based cookie with the load balanced server IP and port

 

HTTP::cookie insert name "Xserver" value "[LB::server addr]:[LB::server port]";

 

log local0. "XServer [LB::server addr]:[LB::server port]"

 

}

 

}

 

========i rule ===========xframe=================================

 

when HTTP_RESPONSE {

 

HTTP::header insert "X-FRAME-OPTIONS" ?(DENY || SAMEORIGIN)?

 

}

 

 

 

=======i rule =========cookie-encryption-final===========================

 

when CLIENT_ACCEPTED {

 

set cookiename1 "PORTAL-PSJSESSIONID"

 

set cookiename2 "PORTLET-PSJSESSIONID"

 

set cookiename3 "BIGipServercits_tuning_web-80"

 

set cookiename4 "Xserver"

 

set cookiename5 "webserver01-8001-PORTAL-PSJSESSIONID"

 

set encryption_passphrase "ekanath"

 

set cookie_encryption_debug 1

 

}

 

when HTTP_RESPONSE {

 

 

 

if { [HTTP::cookie exists $cookiename1] } {

 

HTTP::cookie encrypt $cookiename1 $encryption_passphrase

 

}

 

if { [HTTP::cookie exists $cookiename2] } {

 

HTTP::cookie encrypt $cookiename2 $encryption_passphrase

 

}

 

if { [HTTP::cookie exists $cookiename3] } {

 

HTTP::cookie encrypt $cookiename3 $encryption_passphrase

 

}

 

if { $cookie_exist } {

 

Insert session based cookie with the load balanced server IP and port

 

HTTP::cookie insert name "Xserver" value "[LB::server addr]:[LB::server port]";

 

log local0. "XServer [LB::server addr]:[LB::server port]"

 

}

 

if { [HTTP::cookie exists $cookiename4] } {

 

HTTP::cookie encrypt $cookiename4 $encryption_passphrase

 

if {$cookie_encryption_debug}{log local0. \

 

"Original error cookie value: [HTTP::cookie value $cookiename4]"}

 

}

 

if { [HTTP::cookie exists $cookiename5] } {

 

HTTP::cookie encrypt $cookiename5 $encryption_passphrase

 

}

 

}

 

when HTTP_REQUEST {

 

 

 

 

 

if { [HTTP::cookie exists $cookiename1] } {

 

set decrypted [HTTP::cookie decrypt $cookiename1 $encryption_passphrase]

 

if { ($decrypted eq "") } {

 

Cookie wasn't encrypted, delete it

 

HTTP::cookie remove $cookiename1

 

}

 

}

 

if { [HTTP::cookie exists $cookiename2] } {

 

set decrypted [HTTP::cookie decrypt $cookiename2 $encryption_passphrase]

 

if { ($decrypted eq "") } {

 

Cookie wasn't encrypted, delete it

 

HTTP::cookie remove $cookiename2

 

}

 

}

 

if { [HTTP::cookie exists $cookiename3] } {

 

set decrypted [HTTP::cookie decrypt $cookiename3 $encryption_passphrase]

 

if { ($decrypted eq "") } {

 

Cookie wasn't encrypted, delete it

 

HTTP::cookie remove $cookiename3

 

}

 

}

 

if { [HTTP::cookie exists $cookiename4] } {

 

set decrypted [HTTP::cookie decrypt $cookiename4 $encryption_passphrase]

 

if { ($decrypted eq "") } {

 

Cookie wasn't encrypted, delete it

 

HTTP::cookie remove $cookiename4

 

}

 

}

 

if { [HTTP::cookie exists $cookiename5] } {

 

set decrypted [HTTP::cookie decrypt $cookiename5 $encryption_passphrase]

 

if { ($decrypted eq "") } {

 

Cookie wasn't encrypted, delete it

 

HTTP::cookie remove $cookiename5

 

}

 

}

 

if { ([ string length [HTTP::uri] ] <= 1) } {

 

HTTP::redirect "http://ekanath.das.home.com/psp/pstune/?cmd=login"

 

} elseif { ([HTTP::cookie exists "Xserver"]) } {

 

set cookie_exist 0

 

} else {

 

set cookie_exist 1

 

}

 

}

 

 

 

 

 

 

-------

 

Thanks,

 

Ekanath

 

 

 

 

 

 

 

  • Could encrypt the values using the irules "cookie-encryption-final" and "xframe" and removed the irule "xserver_header_insert_2".

     

    Still trying to hide the servername in the headers :(