For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Gustavo_Lazarte's avatar
Gustavo_Lazarte
Icon for Nimbostratus rankNimbostratus
Jul 21, 2008

Modifying Header Location

We are having problems passing a security audit because IIS 5 shows the name of the servers when it does a redirection on the location part of the header. The problems is when we hit a redirect (302 Object Moved) message and we get the Location: \server01\location\. I was able to block the Location on the 302 messages but I run in to another problem. Our site have 3 redirects that also send a 302 message to the clients but in this case Location \server01\application?value=1010. So we would like to keep blocking the \server01\location\ and rewrite the Location header on the correct requests \www.website.com\application?value=1010. Is there a better way to go around this issue?

 

 

Another solution would be to change the /server1/test or server02/test value to www.website.com/test on the header

 

 

Thanks
application delivery
dev
devops
iRules

15 Replies

Show More
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 23, 2008
    The location value should be a fully qualified URL, including the protocol. If you add http:// or https:// to the Location value, does it work?

    You can add logging to find out what's happening: 

     
 when HTTP_RESPONSE {  
    log local0. "[IP::client_addr]:[TCP::client_port]: response status: [HTTP::status]" 
    if { [HTTP::status] == 302 } {  
  
       log local0. "[IP::client_addr]:[TCP::client_port]: Location: [HTTP::header Location]" 
       switch [string tolower [HTTP::header Location]] {  
          "server01" -  
          "server02" -  
          "server03" {  
             HTTP::header replace Location "http://www.site.com" 
             log local0. "[IP::client_addr]:[TCP::client_port]: found a serverXX value, rewriting to http://www.site.com" 
          }  
       }  
    }  
  }

    Aaron
  • lmwf1_55268's avatar
    lmwf1_55268
    Icon for Nimbostratus rankNimbostratus
    Feb 24, 2009
    I like Joe and Aaron's example. It's easier to understand and very helpful for new people to iRules.

     

    I do have a question regarding the use of "Location" here. According to what I can find, "Location" is the whole thing like

     

    Location: http://www.w3.org/pub/WWW/People.html

     

     

    I wonder if we try to use "host" here since the requestor just want to change from server1 or server2 to www.website.com.

     

    Thanks!
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Feb 24, 2009
    Good point. I think there is actually a typo and a logic error in the example rules in this post. The Location header is probably a fully qualified URL if the app follows RFC2616. It should be switch -glob and the server names should have wildcards server01 should be *server01*. But this wouldn't actually help in replacing the server name with the VIP name. You would need to replace the server name within the Location header value but preserve the rest of the URL including the path and query string.

    Here is one way to do it using a regex (gasp, I know regexes are CPU intensive, but it saves manually configuring all of the server names and running string map with multiple find/replace strings. 

     
 when HTTP_RESPONSE { 
  
    log local0. "[IP::client_addr]:[TCP::client_port]: response status: [HTTP::status]"  
  
     Check if response is a redirect and the Location header contains serverXX where X is a digit 
    if { [HTTP::is_redirect] && [string match -nocase {*server[0-9][0-9]*} [HTTP::header Location]]} {   
  
       log local0. "[IP::client_addr]:[TCP::client_port]: Location: [HTTP::header Location]"  
  
        Replace serverXX with www.example.com in the Location header value 
       HTTP::header replace Location [regsub -nocase {server[0-9][0-9]} www.example.com [HTTP::header Location]] 
  
  
        Log the updated header value.  Comment out/delete this debug line once testing is complete. 
       log local0. "[IP::client_addr]:[TCP::client_port]: found a serverXX value, rewriting to\ 
          [regsub -nocase {server[0-9][0-9]} www.example.com [HTTP::header Location]" 
    }   
 }

    Aaron
  • Carl_Brothers's avatar
    Carl_Brothers
    Icon for Employee rankEmployee
    Mar 12, 2009
    Thinking about this even further, wouldn't this lend itself to a stream profile?

     

     

    Stream profiles are supposedly native code, and if you are exact enough in your match and replace syntax, you would never ever return the server name to a client.

     

     

    Just a thought as I running down a related, but different scenario.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 16, 2009
    If you have an HTTP profile added to the virtual server, then the stream profile will only be applied to the HTTP payloads (request and response). If you need any HTTP parsing functionality, then a stream profile wouldn't work to rewrite the HTTP headers. And it's a good idea to use an iRule to configure a stream profile in any scenario so it's only applied to exact contexts you want it to be.

     

     

    Aaron