Forum Discussion

Mike_Singer_599's avatar
Icon for Nimbostratus rankNimbostratus
Jan 11, 2012

Removing server header from http to https redirect

We have been asked to remove this by a client based on a pentest. I can find referernces to the noserver option in other posts but not the complete irule that incorrpates that w/ the redirected command. We are just using a redirect command that is very simple as follows:



when HTTP_REQUEST { HTTP::redirect "https://[HTTP::host][HTTP::uri]" }



Does any know what a proper irule would be that does this base redirect w/o adding the server header?



Thanks in advance.

3 Replies

  • can you try this?

    [root@ve1023:Active] config  b virtual bar list
    virtual bar {
       ip protocol 6
       rules myrule
       profiles {
          http {}
          tcp {}
    [root@ve1023:Active] config  b rule myrule list
    rule myrule {
       when HTTP_REQUEST {
            HTTP::respond 302 noserver Location "https://[HTTP::host][HTTP::uri]"
    [root@ve1023:Active] config  curl -I
    HTTP/1.0 302 Found
    Connection: Keep-Alive
    Content-Length: 0
  • Colin_Walker_12's avatar
    Historic F5 Account
    To clarify, the iRule portion of Nitass post above is just:

    when HTTP_REQUEST {
      HTTP::respond 302 noserver Location "https://[HTTP::host][HTTP::uri]"

    And he's right on, as usual. The idea is that you are setting a very specific response rather than using the pre-formatted redirect. The other option would be to specifically remove the header in question somewhere later down the line, like HTTP_REQUEST_SEND or the like, which is probably more involved.