Forum Discussion
gurrish_132043
Nimbostratus
NimbostratusProblem with HTTP::respond, get rid of WWW-Authenticate header
Hi! Im trying to do this generic error page to display for 4XX and 5XX responses with the help from an iRule. This is what I did.
when HTTP_RESPONSE {
set DEBUG 0
if { $DEBUG } { log local0.debug "client_addr:[IP::client_addr] | cn:$cn | uid:$uid | serial:$serial | market:$market | uuid:$uuid | status:[HTTP::status] | method:$method | uri:$uri" }
HTTP::header insert "Strict-Transport-Security" "max-age=16070400; includeSubDomains"
switch -glob [HTTP::status] {
"4*" {
if { $DEBUG } { log local0.debug "masking 4XX error" }
HTTP::respond [HTTP::status] content "<!doctype html><html><head><title>[HTTP::status]</title></head><body><div style=\"margin-left: 20px ; font-family: Arial,Helvetica,Verdana; font-size:100px; color: f0f0f0;\">[HTTP::status]</div></body></html>"
}
"5*" {
if { $DEBUG } { log local0.debug "masking 5XX error" }
HTTP::respond [HTTP::status] content "<!doctype html><html><head><title>[HTTP::status]</title></head><body><div style=\"margin-left: 20px ; font-family: Arial,Helvetica,Verdana; font-size:100px; color: f0f0f0;\">[HTTP::status]</div></body></html>"
}
default {
if { $DEBUG } { log local0.debug "OK status returned" }
Do nothing but returning the response
}
}
}
But now i have this problem, that everytime that a 401 is returned i.e "HTTP::respond 401", the header WWW-authenticate is returned which results in the stupid basic authentication login box is being displayed in the users browser. Not such a great scenario... since there is nothing to authenticate against. Does anyone know how to get rid of this? I have tried to remove the header with "HTTP::header remove WWW-Authenticate", doesn't work...
What_Lies_Bene1Cirrostratus
Try using a capital A; WWW-Authenticate
- What_Lies_Bene1
OK, so are we just talking LTM here or are other modules involved?
- Kevin_Stewart
Employee
It appears as if the framework has some built in default for 401s
I would agree. The BIG-IP will return a WWW-Authenticate header with a 401 response. Two thoughts off the top of my head:
-
Return a 200 response. It isn't semantically what you're looking for, but technically you're attempting to display HTML content rather than elicit credentials from the user, so it's closer to a 200 than a 401.
-
Drop into layer 4 and scrub the response at the TCP layer. It's a little messier, but it should effectively trick the BIG-IP into not sending the WWW-Authenticate header.
-
gurrish_132043It didn't work with TCP::respond but I found another solution. Since HTTP::respond can add headers, I tried to add the header myself but without any value. And it solved the problem for us.
HTTP::respond [HTTP::status] content "[HTTP::status][HTTP::status]" noserver "WWW-Authenticate" ""- What_Lies_Bene1Great. Thanks for letting us know.
