F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

MSZ's avatar
MSZ
Icon for Nimbostratus rankNimbostratus
Apr 06, 2016

How can we block the Basic Authentication Page?

HTTP/1.1 401 Unauthorized Date: Tue, XX Mar XXXX 14:42:11 GMT Www-authenticate: Basic realm="Oracle iPlanet Web Server" Content-length: 223 Content-type: text/html Connection: close   Unauthorized...
ASM Advanced WAF
BIG-IP
security
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Apr 06, 2016

Hi,

 

what do you need exactly?

 

if the server request authentication, you won't be able to browse it before being authenticated.

 

do you want to deny access to password protected ressources on the web site?

 

You can block 401 response code and replace it by a "access denied" with 403 response code in a irule or with ASM

 

Do not forget to remove Authorization header in request to prevent user to insert it even if the server never sent 401 request.

 

when HTTP_REQUEST {
    HTTP::header remove Authorization
}

when HTTP_RESPONSE {
  if { [HTTP::status] eq "401" } { 
    HTTP::respond 403 content {
            
               Denied
               Page Denied
            
         } noserver "Connection" "Close"
      return
  }
}