Forum Discussion

Mike_Singer_599's avatar
Mike_Singer_599
Icon for Nimbostratus rankNimbostratus
Jan 11, 2012

Removing server header from http to https redirect

We have been asked to remove this by a client based on a pentest. I can find referernces to the noserver option in other posts but not the complete irule that incorrpates that w/ the redirected command. We are just using a redirect command that is very simple as follows:

 

 

when HTTP_REQUEST { HTTP::redirect "https://[HTTP::host][HTTP::uri]" }

 

 

Does any know what a proper irule would be that does this base redirect w/o adding the server header?

 

 

Thanks in advance.
application delivery
dev
devops
iRules
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jan 11, 2012
    can you try this? 

    [root@ve1023:Active] config  b virtual bar list
virtual bar {
   destination 172.28.19.79:80
   ip protocol 6
   rules myrule
   profiles {
      http {}
      tcp {}
   }
}
[root@ve1023:Active] config  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
        HTTP::respond 302 noserver Location "https://[HTTP::host][HTTP::uri]"
}
}

[root@ve1023:Active] config  curl -I http://172.28.19.79/test
HTTP/1.0 302 Found
Location: https://172.28.19.79/test
Connection: Keep-Alive
Content-Length: 0
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Jan 11, 2012
    To clarify, the iRule portion of Nitass post above is just: 

    
when HTTP_REQUEST {
  HTTP::respond 302 noserver Location "https://[HTTP::host][HTTP::uri]"
}

    And he's right on, as usual. The idea is that you are setting a very specific response rather than using the pre-formatted redirect. The other option would be to specifically remove the header in question somewhere later down the line, like HTTP_REQUEST_SEND or the like, which is probably more involved.

    Colin