For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

James_Dyson_470's avatar
James_Dyson_470
Icon for Nimbostratus rankNimbostratus
May 12, 2006

multiple rules / header info removing

Hi Guys,     I've got a build running production traffic that has just been pen tested and one of the complaints was the BigIP returning OS information in the header. (ver9.x)     I know ...
application delivery
dev
devops
iRules
Deb_Allen_18's avatar
Deb_Allen_18
Historic F5 Account
May 15, 2006
You're not slow. There are couple of things here that are not quite intuitive:

 

 

1)

 

HTTP_RESPONSE is specific to a SERVER response passing through the load balancer, and is not triggered for locally-generated responses. In this context, since there is no server response, no HTTP_RESPONSE event is triggered.

 

 

and even if the response event were triggered:

 

2) HTTP::header commands affect only headers passing THROUGH the load balancer, not locally-generated responses. (I'd imagine that it's a timing issue: We can't modify the response before it exists, but the response doesn't exist until LTM sends it, and we can't modify it after it's been sent...) In this context, the redirect response is locally generated, so we can't affect it with the header commands.

 

 

Hopefully that explains better.

 

 

You can apply the TCP::respond workaround to HTTP virtual servers, but I don't have a good one for HTTPS virtuals.

 

 

Good luck!

 

/deb