For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Eric_Lenington_'s avatar
Eric_Lenington_
Icon for Nimbostratus rankNimbostratus
Feb 13, 2014

Redirect and changing the URL that is returned to the client.

I have a need to add a virtual server that redirects all traffic to the VS to a specific URL. That is easy enough; however, I also need to mask the redirected URL so the clients don't see the secure URL they are being redirected to as this is a security risk. Can someone tell me if this is possible and if so how to accomplish this. I have tried every combination of iRules I can find in devcentral and nothing has worked. They all achieve the redirect, but nothing masks the URL for the client. We need the url to show up to the client as web.myserver.com rather than my.webserver.com

 

Here is the existing iRule that is redirecting the traffic today, obviously the name has been changed:

 

when HTTP_REQUEST { HTTP::redirect http://my.webserver.com/main/HSA-autologin.cfm?x=f3e93aa831939183f8fe837af83873828ed338d2 }

 

If I only needed to change the header I believe this would work but I can't get two HTTP_REQUEST statements to work sequentially and I can't use the if else statement because all traffic needs to match the redirection.

 

Please help if possible.

 

Thank you

 

application delivery
devops
iRules
LTM

3 Replies

  • Eric_Lenington_'s avatar
    Eric_Lenington_
    Icon for Nimbostratus rankNimbostratus
    Feb 13, 2014
    forgot to paste the header irule that I referenced. when HTTP_REQUEST { if { [HTTP::header host] eq "www.abc.com" } { HTTP::header replace Host "www.xyz.com" } }
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Feb 13, 2014

    An HTTP::redirect is going to send a physical 302 redirect response back to client, causing the browser address bar to change. To make the URL transparent, you have to do a few things:

    1. On HTTP requests, you need to change the Host header.

    2. On HTTP responses, if the server is sending a redirect of its own, you want to make sure the redirect is mapped to your external URL.

    3. On HTTP responses, you also want to make sure any internal document references (images, CSS, JS, etc.) are not mapping to the internal URL.

    Keep in mind also that access to the internal URL MUST COME THROUGH the external URL. You cannot have the client go to some other resource that is not local, without changing the address bar. So assuming the server is behind your BIG-IP, this is what a minimalist version of that iRule might look like:

    when HTTP_REQUEST {
     Remove the Accept-Encoding header from requests so that the server does not compress responses
    HTTP::header remove Accept-Encoding

     Disable the STREAM profile for request traffic
    STREAM::disable

     replace the Host header
    HTTP::header replace Host "www.xyz.com"
}
when HTTP_RESPONSE {
     Look for and replace redirects from the server
    if { [HTTP::header exists Location] } {
        HTTP::header replace Location [string map {"www.xyz.com" "www.abc.com"} [HTTP::header Location]]
    }

     For any text-based response enable a STREAM mapping to replace specific values
     To use this, enable an empty STREAM profile to the virtual server
    if { [HTTP::header Content-Type] contains "text" } {
        STREAM::expression {@www.xyz.com@www.abc.com@}
        STREAM::enable
    }
}

    Again, this is a minimalist approach, and may not completely cover everything depending on how the application functions or if you also need to remap URIs. Optionally, you can use the ProxyPass iRule on 11.3 systems and older, and the new Policy functions in 11.4 and newer.

  • Wallace1's avatar
    Wallace1
    Icon for Nimbostratus rankNimbostratus
    Feb 03, 2015

    Do you have an example or post documentation to the new policy that will mask the url?

     

    Thanks,

     

    Wallace