For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Scott_R's avatar
Scott_R
Icon for Nimbostratus rankNimbostratus
Mar 16, 2009

Proxy server behind ASM

I have an apache proxy server behind the ASM in transparent mode. It's returning request violations for every image since it thinks the image should be on the proxy server rather than the server it's proxying to. So I'm guessing it thinks the image is a non-existent object. There are 10's of thousands of these violations. Is it not recommended to have a proxy server behind an ASM or is there a different way to set it up for a proxy server so this doesn't happen?
app sec
BIG-IP Access Policy Manager (APM)
security

4 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 16, 2009
    Hi Scott,

     

     

    What is the request/response flow? Is it client -> proxy -> ASM -> server? Or something else? What are you trying to protect?

     

     

    What is the actual violation type listed in the full request information? They should be listed under 'Request Violations'. Can you post an anonymized copy of the request headers and/or data?

     

     

    Aaron
  • Scott_R's avatar
    Scott_R
    Icon for Nimbostratus rankNimbostratus
    Mar 16, 2009
    Full request posted below. The gif is on the server it's proxying to. Not on the proxy server. The flow is client -> ASM -> proxy server. Was attempting to protect the proxy server.

     

     

    Thanks.

     

     

    Flags Requested Object Response Code Internal Use

     

    [HTTPS] /images/images/view-attachments.gif 304 Yes

     

     

    Full Request

     

    GET /images/images/view-attachments.gif HTTP/1.1

     

    Accept: */*

     

    Referer: https://proxyserver.mydomain.com/homepage/homepage.jsp

     

    Accept-Language: en-us

     

    UA-CPU: x86

     

    Accept-Encoding: gzip, deflate

     

    If-Modified-Since: Mon, 31 Jan 2000 19:34:12 GMT

     

    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2; .NET CLR 1.1.4322)

     

    Host: proxyserver.mydomain.com

     

    Connection: Keep-Alive

     

    Cookie: TSb074f7=67bcdaf929e6111babadd04136b0feba160b99a96fbee49749be4837c8f0c0030d53b05734d55be3ffabebb2; jsessionid=384121237208175220; userInfo=userID%3D17c

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 16, 2009
    Maybe I'm missing something, but I don't see why this would generate false positive violations. What violations are being generated? If it is only 'non-existent object' do you have a wildcard object defined in the policy?

     

     

    Also, why is the host header in the request set to the proxy server? Shouldn't this be the destination server's domain name?

     

     

    Aaron
  • Scott_R's avatar
    Scott_R
    Icon for Nimbostratus rankNimbostratus
    Mar 16, 2009
    After reading your reply about a wildcard, I checked and sure enough I was sitting on the wrong security policy. There were not wildcard objects defined. I changed it to the correct policy and am watching it now.

     

     

    Thanks for your help!