For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

sanjai_126162's avatar
sanjai_126162
Icon for Nimbostratus rankNimbostratus
Aug 22, 2016

irule to strip the uri after apm completion it has to include the lengthy uri

iRule that will capture the HTTP URI if it is larger than 1098 bytes, then strip the HTTP URI from the HTTP request that is sent to the APM. Once the Access Policy evaluation is completed and the BI...
application delivery
iRules
sanjai_126162's avatar
sanjai_126162
Icon for Nimbostratus rankNimbostratus
Aug 23, 2016

my expectation is the browser send a request to https://f5.company.com/path/ if the uri length is equal or more than 4096 [1098 just mentioned as number exact value is 4096], store it and strip it before send it to APM --> new uri is /fakepath/ the apm create a new session and redirect user to /my.policy and /fakepath/ is stored in variable session.server.landinguri the user authenticate according to access policy if the user authenticate successfully, the user is redirected to /fakepath/ (stored in variable session.server.landinguri) if uri was previously store by the irule, replace the uri /fakepath/ by the stored one /path/

 

F5 allows only 4096 bytes [RFE ID 421616]and apm is blocking the request if its crossing 4096 bytes so we want to strip before request goes to the APM validation and later place path exactly.

 

sorry for mentioning the value as 1098 bytes