For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

alex100's avatar
alex100
Icon for Cirrostratus rankCirrostratus
Mar 16, 2016

SharePoint HTTP 200 embedded script rewrite

Hi all,

I am running into the issues with SharePoint behind APM, where at one single instance site returns HTTP 200 with script embedded into the body which make client to request resource using SharePoint's internal host name. Client then attempts to request that resource and comes to stand still not being able to resolve the name. Here is the response in question:

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
SPRequestGuid: c0f4406f-9fcd-4c1d-be09-8c4cdbd9fbad
X-SharePointHealthScore: 1
MicrosoftSharePointTeamServices: 14.0.0.7015
X-MS-InvokeApp: 1; RequireReadOnly
X-Frame-Options: SAMEORIGIN
Date: Wed, 16 Mar 2016 14:34:40 GMT
Vary: Accept-Encoding
Content-Length: 2413   


       
              
              
              
                     Processing...
              
              
              
              
              
       
       
         
              
                     
                           
                                  
                                  Processing...
                           
                           
User information updated successfully
                           
                           
You will be redirected shortly.

How can I catch and rewrite the internal hostname? When sent to the client it needs to look something like this: publicname.mycompany.com instead of mysite.mydomain.mycompany.root:14775 Can this be done using Stream profile triggered on HTTP Response?

Thanks in advance...

application delivery
BIG-IP Access Policy Manager (APM)
http
irule

2 Replies

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Mar 16, 2016

    Please don't try to rewrite Sharepoint hostnames or URLs or anything in BIG-IP.

     

    Sharepoint has a specific configuration for this called "Alternate Access Mapping". Google that term and read a few articles to understand how it works -- it's one of the painful things about setting up Sharepoint and it MUST be configured carefully and correctly in order for all of the SP functions to work.

     

  • Keith_90333's avatar
    Keith_90333
    Icon for Nimbostratus rankNimbostratus
    Mar 18, 2016

    Just an follow-up... we did encounter a situation where we did do stream rewrites for replacing HTTP urls for profile pictures with HTTPS ones...

     

    I'm going to add the code we did just as an example even though you solved your issue with correct use of AAMs in SP.

     

     
 SharePoint-MS_SSL_Profile_Photo_Fix
 
 This iRule is used to replace a non-HTTPS image reference from mysites for 
 profile pictures with an HTTPS URL. This rule is written to work for both 
 PROD and QATC without any need to modify it.
 
 To enable logging, update this rule to set static::single_vs_debug from 0 to 
 1 in the RULE_INIT block below.
 
 @author XXXXX
 @since 2013-08-27
 

when RULE_INIT {
     Set this option to 1 to log debug messages (to /var/log/ltm by default)
    set static::profile_photo_debug 0  
}
when CLIENT_ACCEPTED {
    set CLIENT_IP [IP::client_addr]
}
when HTTP_REQUEST {
     REQUESTED_URL is used in a logging statement
    if {$static::profile_photo_debug}
    {
        set REQUESTED_URL "Request page: [HTTP::host][HTTP::path] (QS omitted)"
    }
    set HOST_LOWER [string tolower [HTTP::host]]
     my assumption here is that we aren't adding any additional subdomains
     if HOST_LOWER is: ms-collab-dev.qatc.MY_TLD then
     STR_START will be: ms-collab-dev
    set STR_START [lindex [split $HOST_LOWER "."] 0]

     disable for all requests
    STREAM::disable
}
when HTTP_RESPONSE {
    if {[HTTP::header value Content-Type] contains "text"}
    {
         doing this allows us to not have different copies of this rule for
         each environment.
        switch -glob $STR_START {
            "*collab" {  match either 'collab' or 'ms-collab'
                set DOMAIN_TO_MATCH "ms-collab.MY_TLD"
            }
            "*collab-uat" {  match either 'collab-uat' or 'ms-collab-uat'
                set DOMAIN_TO_MATCH "ms-collab-uat.MY_TLD"
            }
            "*collab-dev" {  match either 'collab-dev' or 'ms-collab-dev'
                set DOMAIN_TO_MATCH "ms-collab-dev.qatc.MY_TLD"
            }
            "*collab-test" {  match either 'collab-test' or 'ms-collab-test'
                set DOMAIN_TO_MATCH "ms-collab-test.qatc.MY_TLD"
            }
        }
        set MYSITE_HTTP "http://$DOMAIN_TO_MATCH/User%20Photos/Profile%20Pictures/"
        set MYSITE_HTTPS "https://$DOMAIN_TO_MATCH/User%20Photos/Profile%20Pictures/"
        set MYSITE_HTTP_80 "http://$DOMAIN_TO_MATCH:80/User%20Photos/Profile%20Pictures/"

         match and replace
        STREAM::expression "@$MYSITE_HTTP_80@$MYSITE_HTTPS@ @$MYSITE_HTTP@$MYSITE_HTTPS@"
         enable for this response
        STREAM::enable
    }
}
when STREAM_MATCHED {  
    only do logging if we did a replacement
    if {$static::profile_photo_debug}
    {
        log local0. "\[client: $client_ip\] Matched profile photo URL: [STREAM::match]"
        log local0. "CLIENT_IP:$CLIENT_IP - STREAM::expression:\"@$MYSITE_HTTP_80@$MYSITE_HTTPS@ @$MYSITE_HTTP@$MYSITE_HTTPS@\" - REQUESTED_URL:$REQUESTED_URL"
    }
}