For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ghost-rider_124's avatar
ghost-rider_124
Icon for Nimbostratus rankNimbostratus
Nov 24, 2014

IRULE Template for URL Masking (Request and Response)

Hello Experts

 

I am in the process of doing URL masking (changing host name, hard code links in header and payload). The front end user URL is webportal.abc.com and backend server URL is server1. User to F5 is https and backend is http. Below is the irule I got from internet, can any body explain the below irule

 

when RULE_INIT
{
    ==============================
     REQUEST REWRITES
    ==============================
    set static::webportal_request_uri
    {

    }
    set static::webportal_request_host
    {
                "http://====https://"
        "http://server1====https://webportal.abc.com"
    } 
    set static::webportal_request_referer
    {
                "http://====https://"   
        "http://server1====https://webportal.abc.com"
    }
    set static::webportal_request_cookie
    {

    }

    ==============================
     RESPONSE REWRITES
    ==============================
    set static::webportal_response_setCookie
    {


    }
    set static::webportal_response_location
    {
                "http://====https://"
        "http://server1====https://webportal.abc.com"

    }
    set static::webportal_response_contentLocation
    {
                "http://====https://"
        "http://server1====https://webportal.abc.com"

    }
    set static::webportal_response_body
    {
                "http://====https://"
        "http://server1====https://webportal.abc.com"

    }
}

when HTTP_REQUEST
{
    STREAM::disable
    -----------------
    URI
    -----------------
    HTTP::header remove Accept-Encoding
    if {[llength $static::webportal_request_uri] > 0}
    {
    set request_val [HTTP::uri]
    foreach request_rewriteRecord $static::webportal_request_uri
    {
        set request_find [getfield $request_rewriteRecord "====" 1]
        set request_replace [getfield $request_rewriteRecord "====" 2]
        if {$request_replace == "nothing"}
        {
            set request_replace ""
        }

        regsub -all $request_find $request_val $request_replace request_val
    }
    HTTP::uri $request_val
    }
    -----------------
    Host
    -----------------
    if {[llength $static::webportal_request_host] > 0}
    {
    if {[HTTP::header exists Host]}
    {
        set request_val [HTTP::host]
        foreach request_rewriteRecord $static::webportal_request_host
        {
            set request_find [getfield $request_rewriteRecord "====" 1]
            set request_replace [getfield $request_rewriteRecord "====" 2]

            if {$request_replace == "nothing"}
            {
                set request_replace ""
            }
            regsub -all $request_find $request_val $request_replace request_val
        }

        HTTP::header replace Host $request_val
    }
    }
    -----------------
    Referer
    -----------------
    if {[llength $static::webportal_request_referer] > 0}
    {
    if {[HTTP::header exists Referer]}
    {
        set request_val [HTTP::header value Referer]
        foreach request_rewriteRecord $static::webportal_request_referer
        {
            set request_find [getfield $request_rewriteRecord "====" 1]
            set request_replace [getfield $request_rewriteRecord "====" 2]

            if {$request_replace == "nothing"}
            {
                set request_replace ""
            }

            regsub -all $request_find $request_val $request_replace request_val
        }
        HTTP::header replace Referer $request_val
    }
    }
    -----------------
    cookies
    -----------------
    if {[llength $static::webportal_request_cookie] > 0}
    {
    if {[HTTP::header exists Cookie]}
    {
        set request_val [HTTP::header value Cookie]
        foreach request_rewriteRecord $static::webportal_request_cookie
        {
            set request_find [getfield $request_rewriteRecord "====" 1]
            set request_replace [getfield $request_rewriteRecord "====" 2]

            if {$request_replace == "nothing"}
            {
                set request_replace ""
            }

            regsub -all $request_find $request_val $request_replace request_val
        }
        HTTP::header replace Cookie $request_val
    }
    }
}

when HTTP_RESPONSE
{
    STREAM::disable
    -------------------------
     rewrite set-cookies
    -------------------------
    if {[llength $static::webportal_response_setCookie] > 0}
    {
    if {[HTTP::header exists Set-Cookie]}
    {
        set request_val_list [HTTP::header values Set-Cookie]
        HTTP::header remove Set-Cookie

        foreach request_val $request_val_list
        {
            foreach request_rewriteRecord $static::webportal_response_setCookie
            {
                set request_find [getfield $request_rewriteRecord "====" 1]
                set request_replace [getfield $request_rewriteRecord "====" 2]

                if {$request_replace == "nothing"}
                {
                    set request_replace ""
                }
                regsub -all $request_find $request_val $request_replace request_val
            }
            HTTP::header insert Set-Cookie $request_val
        }
    }
    }
    -------------------------
     rewrite Location
    -------------------------
    if {[llength $static::webportal_response_location] > 0}
    {
    if {[HTTP::is_redirect]}
    {
        set request_val [HTTP::header value Location]

        foreach request_rewriteRecord $static::webportal_response_location
        {
            set request_find [getfield $request_rewriteRecord "====" 1]
            set request_replace [getfield $request_rewriteRecord "====" 2]
            if {$request_replace == "nothing"}
            {
                set request_replace ""
            }

            regsub -all $request_find $request_val $request_replace request_val
        }
        HTTP::header replace Location $request_val
    }
    }
    -------------------------
     rewrite Content-Location
    -------------------------
    if {[llength $static::webportal_response_contentLocation] > 0}
    {
    if {[HTTP::header exists Content-Location]}
    {
        set request_val [HTTP::header value Content-Location]

        foreach request_rewriteRecord $static::webportal_response_contentLocation
        {
            set request_find [getfield $request_rewriteRecord "====" 1]
            set request_replace [getfield $request_rewriteRecord "====" 2]
            if {$request_replace == "nothing"}
            {
                set request_replace ""
            }

            regsub -all $request_find $request_val $request_replace request_val
        }
        HTTP::header replace Content-Location $request_val
    }
    }

    ----------------------------
     Body
    ----------------------------
    if {[llength $static::webportal_response_body] > 0}
    {
    set expression ""
    foreach request_rewriteRecord $static::webportal_response_body
    {
        set request_find [getfield $request_rewriteRecord "====" 1]
        set request_replace [getfield $request_rewriteRecord "====" 2]
        if {$request_replace == "nothing"}
        {
            set request_replace ""
        }

        set expression "$expression@$request_find@$request_replace@"
    }
    if {[HTTP::header Content-Type] contains "text" or [HTTP::header Content-Type] contains "xml" or [HTTP::header Content-Type] contains "java"}
    {
        STREAM::expression $expression
        STREAM::enable
    }
    }
}
application delivery
BIG-IP Access Policy Manager (APM)
deployment
devops
iRules
LTM
security

1 Reply

  • Arie's avatar
    Arie
    Icon for Altostratus rankAltostratus
    Nov 24, 2014

    Based on your description it looks like you may not even need to do any kind of transformation.

    The request from the client specifies the path (e.g. "/abc") separately from the hostname (which is stored in the HTTP-header "host").

    Depending on how the node (pool member) handles the hostname you may not have to worry about it.

    It is possible to re-write the request, but it looks like you may not need to do this.

    If you do need to change the host you can swap out the value of the HTTP-header "host":

    when HTTP_REQUEST {

    HTTP::header replace host server1

}