For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ghost-rider_124's avatar
ghost-rider_124
Icon for Nimbostratus rankNimbostratus
Jul 15, 2014

How many ways to rewrite http request and response for hostname, port and URI rewrite

Hello Experts

 

I need to mask the URL between virtual server on f5 and backend servers. The URL on backend server is http://server1xls.abc.com:8040/OA_HTML/AppsLogin and the URI on F5 should be http://extranetportal. It means I need to mask the hostname, port and URL on F5.

 

I searched on the forum and this is confusing. Some suggested:

 

1- Use stream profile in virtual server configuration 2- Use stream IRULE 3- Use Redirect Rewrite in http profile

 

I would highly appreciate, if somebody give me the solution for this scenario and what is the difference between above solutions

 

Regards,

 

GR

 

application delivery
BIG-IP Access Policy Manager (APM)
deployment
devops
iRules
LTM
security

4 Replies

  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Jul 15, 2014

    The Stream profile is used to re-write Links in a webpage. For example if you masked the backend URL from the client - You might have links that point to backend URL

     

    The good news is that the good folks at F5 had written something to around it

     

    Here is a link that may help

     

    https://devcentral.f5.com/wiki/iRules.ProxyPassV10.ashx

     

    Let us know if this works?

     

    -=Bhattman=-

     

  • ghost-rider_124's avatar
    ghost-rider_124
    Icon for Nimbostratus rankNimbostratus
    Jul 16, 2014

    Hi The Bhattman

     

    Thanks for reply. This IRULE seems horrible :) but again the same question the below three methods would be used in which condition for my scenario described earlier.

     

    A)- Use stream profile in virtual server configuration B- Use stream IRULE C- Use Redirect Rewrite in http profile

     

  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Jul 16, 2014

    Hi Ghost-rider,

     

    Yes the iRule looks very complicated, but it does work for many people. In your case it could be overkill.

     

    So with the streams are tyring to re-write links on a webpage or hide them from the URL on the internet browser?

     

    -=Bhattman=-

     

  • John_Antony_162's avatar
    John_Antony_162
    Icon for Nimbostratus rankNimbostratus
    Sep 04, 2015

    it's been a while someone answered this. But I had a similar situation and below iRule worked great

    when RULE_INIT { 

     Set the hostname that the client makes request to (do not include protocol)  
    set ::external_hostname "external.com"  

     Set the hostname that the BIG-IP will rewrite requests to  
    set ::internal_hostname "server1.local.intra:8445"  

     Log debug messages to /var/log/ltm? 1=yes, 0=no.  
    set ::proxy_site_debug 0  
 }  
 when HTTP_REQUEST { 

    if {$::proxy_site_debug}{log local0. "Received request from [IP::client_addr] -> [HTTP::host][HTTP::uri]"}  

    if {$::proxy_site_debug}{log local0. "Rewriting [IP::client_addr]'s Host header to $::internal_hostname"}  

     Rewrite the Host header   
    HTTP::header replace "Host" $::internal_hostname  

 }  
 when HTTP_RESPONSE {  

     Check if the status indicates a redirect  
    if {[HTTP::is_redirect]} {  

       if {$::proxy_site_debug}{log local0. "Rewriting [IP::client_addr]'s redirect"}  
          Rewrite the Location header replacing the internal hostname with the external hostname  
       HTTP::header replace Location [string map -nocase {$::internal_hostname $::external_hostname} [HTTP::header Location]]  
    }  
 }