Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Steven_Ruiz_882's avatar
Steven_Ruiz_882
Icon for Nimbostratus rankNimbostratus
Nov 23, 2005

http->https redirect reveals internal IP addresses

I have a irule setup for redirecting http traffic to https, and its working fine.     However, when issuing a HEAD / request, it serves back the internal/private ip of the web server.     ...
application delivery
dev
devops
irules
v4
Martin_Machacek's avatar
Martin_Machacek
Historic F5 Account
Dec 02, 2005
Steven,

the %h macro within the redirect string expands to the value of the "Host:" header in the request and if not present to the address of the virtual server which referred to the rule. The "Host:" header is mandatory in HTTP/1.1. Most modern browsers use HTTP/1.1 by default and because of that they supply the header. Browsers typically put the domain portion of the URL (i.e. everything between // and the nearest /) to the "Host:" header. You can verify it like this:


yourcomputer:/Users/stever-> telnet www.mysite.com 80
Trying 11.11.11.11...
Connected to www.mysite.com.
Escape character is '^]'.
HEAD / HTTP/1.1
Host: the-host-you-want-to-redirect-to.example
HTTP/1.0 302 Found
Location: http://the-host-you-want-to-redirect-to.example/
Connection: close