For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mrbongoco_64052's avatar
mrbongoco_64052
Icon for Nimbostratus rankNimbostratus
Apr 23, 2012

HTTP_Response Client side

Hi Ive been looking to write and Irule to strip out the HTTP::Header for all "Server" types but have been unable to get this work. Essentially it works perfectly server side, but when a user ini...
application delivery
dev
devops
iRules
Bryce_Klimoski's avatar
Bryce_Klimoski
Icon for Nimbostratus rankNimbostratus
Apr 26, 2012
Posted By mrbongoco on 04/23/2012 10:36 PM

 

Hi

 

Firstly thank you for taking the time and interest in my post and also replying.

 

I certainly look at both suggestions today and realised that maybe I wasnt that clear.

 

I essentially want to stop clients (client side) seeing any info about the F5 itself but specifically the server type in the http header.

 

When a client connects to the vip without the fully qualified URL they see the f5 landing page thus exposing the F5 to any wouldbe attacker.

 

Hope this makes more sense.

 

Jon

 

I have only ever seen the F5 insert the Big-IP server header into a http response to the client when I call HTTP::redirect or HTTP::respond.

 

 

With HTTP::redirect the server header is hardwired and the only way to by-pass this is to use HTTP::respond to send out the a 302 response code with a location header.

 

 

 

HTTP::respond 302 noserver Location "http://www.domain.org" Server "testing"

 

 

 

If your using the F5 to server up the initial landing page, you could do this.

 

 

 

HTTP::respond noserver Server "testing" content $content