For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

LyonsG_85618's avatar
LyonsG_85618
Icon for Cirrostratus rankCirrostratus
Nov 16, 2012

Passing decoded certficates in HTTP header

Hi folks.     I have been requested to setup BIG-IP to request certificate authentication and then insert the WHOLE UNENCODED certificate into the HTTP header and pass it to a differnt virtua...
application delivery
dev
devops
iRules
nitass's avatar
nitass
Icon for Employee rankEmployee
Nov 30, 2012
now want the request content sent via a cookie.....what does the request content mean? is it http request headers (GET request does not have payload)?

---------------

The value of a cookie may consist of any printable ascii character (! through ~, unicode \u0021 through \u007E) excluding , and ; and excluding whitespace. The name of the cookie also excludes = as that is the delimiter between the name and value. The cookie standard RFC2965 is more limiting but not implemented by browsers.

---------------

HTTP cookie

http://en.wikipedia.org/wiki/HTTP_cookie

will you do base64 encoding of http request headers?

e.g. 

[root@ve10:Active] config  b virtual bar list
virtual bar {
   destination 172.28.19.79:80
   ip protocol 6
   rules myrule
   profiles {
      http {}
      tcp {}
   }
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
   HTTP::cookie insert name BIGIPCOOKIE value [b64encode [HTTP::request]]
   virtual backend_vs
}
}
[root@ve10:Active] config  b virtual backend_vs list
virtual backend_vs {
   snat automap
   pool foo
   destination 1.1.1.1:80
   ip protocol 6
   rules backend_rule
   profiles {
      http {}
      tcp {}
   }
}
[root@ve10:Active] config  b rule backend_rule list
rule backend_rule {
   when HTTP_REQUEST {
   log local0. [b64decode [HTTP::cookie value BIGIPCOOKIE]]
}
}

[root@ve10:Active] config  ssldump -Aed -nni 0.0 port 80
New TCP connection 1: 172.28.20.11(44909) <-> 172.28.19.79(80)
1354270186.3077 (0.0030)  C>S
---------------------------------------------------------------
GET /something HTTP/1.1
User-Agent: curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8x zlib/1.2.3 libidn/0.6.5
Accept: */*
Host: test.com

---------------------------------------------------------------

New TCP connection 2: 172.28.20.11(44909) <-> 1.1.1.1(80)
1354270186.3078 (0.0000)  C>S
---------------------------------------------------------------
GET /something HTTP/1.1
User-Agent: curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8x zlib/1.2.3 libidn/0.6.5
Accept: */*
Host: test.com
Cookie: BIGIPCOOKIE=R0VUIC9zb21ldGhpbmcgSFRUUC8xLjENClVzZXItQWdlbnQ6IGN1cmwvNy4xOS43IChpNjg2LXJlZGhhdC1saW51eC1nbnUpIGxpYmN1cmwvNy4xOS43IE9wZW5TU0wvMC45Ljh4IHpsaWIvMS4yLjMgbGliaWRuLzAuNi41DQpBY2NlcHQ6ICovKg0KSG9zdDogdGVzdC5jb20NCg0K;

---------------------------------------------------------------

[root@ve10:Active] config  cat /var/log/ltm
Nov 30 18:14:12 local/tmm info tmm[7926]: Rule backend_rule : GET /something HTTP/1.1  User-Agent: curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8x zlib/1.2.3 libidn/0.6.5  Accept: */*  Host: test.com