For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

alex100's avatar
alex100
Icon for Cirrostratus rankCirrostratus
Mar 16, 2016

SharePoint HTTP 200 embedded script rewrite

Hi all, I am running into the issues with SharePoint behind APM, where at one single instance site returns HTTP 200 with script embedded into the body which make client to request resource using S...
application delivery
BIG-IP Access Policy Manager (APM)
http
irule
Keith_90333's avatar
Keith_90333
Icon for Nimbostratus rankNimbostratus
Mar 18, 2016

Just an follow-up... we did encounter a situation where we did do stream rewrites for replacing HTTP urls for profile pictures with HTTPS ones...

 

I'm going to add the code we did just as an example even though you solved your issue with correct use of AAMs in SP.

 

 
 SharePoint-MS_SSL_Profile_Photo_Fix
 
 This iRule is used to replace a non-HTTPS image reference from mysites for 
 profile pictures with an HTTPS URL. This rule is written to work for both 
 PROD and QATC without any need to modify it.
 
 To enable logging, update this rule to set static::single_vs_debug from 0 to 
 1 in the RULE_INIT block below.
 
 @author XXXXX
 @since 2013-08-27
 

when RULE_INIT {
     Set this option to 1 to log debug messages (to /var/log/ltm by default)
    set static::profile_photo_debug 0  
}
when CLIENT_ACCEPTED {
    set CLIENT_IP [IP::client_addr]
}
when HTTP_REQUEST {
     REQUESTED_URL is used in a logging statement
    if {$static::profile_photo_debug}
    {
        set REQUESTED_URL "Request page: [HTTP::host][HTTP::path] (QS omitted)"
    }
    set HOST_LOWER [string tolower [HTTP::host]]
     my assumption here is that we aren't adding any additional subdomains
     if HOST_LOWER is: ms-collab-dev.qatc.MY_TLD then
     STR_START will be: ms-collab-dev
    set STR_START [lindex [split $HOST_LOWER "."] 0]

     disable for all requests
    STREAM::disable
}
when HTTP_RESPONSE {
    if {[HTTP::header value Content-Type] contains "text"}
    {
         doing this allows us to not have different copies of this rule for
         each environment.
        switch -glob $STR_START {
            "*collab" {  match either 'collab' or 'ms-collab'
                set DOMAIN_TO_MATCH "ms-collab.MY_TLD"
            }
            "*collab-uat" {  match either 'collab-uat' or 'ms-collab-uat'
                set DOMAIN_TO_MATCH "ms-collab-uat.MY_TLD"
            }
            "*collab-dev" {  match either 'collab-dev' or 'ms-collab-dev'
                set DOMAIN_TO_MATCH "ms-collab-dev.qatc.MY_TLD"
            }
            "*collab-test" {  match either 'collab-test' or 'ms-collab-test'
                set DOMAIN_TO_MATCH "ms-collab-test.qatc.MY_TLD"
            }
        }
        set MYSITE_HTTP "http://$DOMAIN_TO_MATCH/User%20Photos/Profile%20Pictures/"
        set MYSITE_HTTPS "https://$DOMAIN_TO_MATCH/User%20Photos/Profile%20Pictures/"
        set MYSITE_HTTP_80 "http://$DOMAIN_TO_MATCH:80/User%20Photos/Profile%20Pictures/"

         match and replace
        STREAM::expression "@$MYSITE_HTTP_80@$MYSITE_HTTPS@ @$MYSITE_HTTP@$MYSITE_HTTPS@"
         enable for this response
        STREAM::enable
    }
}
when STREAM_MATCHED {  
    only do logging if we did a replacement
    if {$static::profile_photo_debug}
    {
        log local0. "\[client: $client_ip\] Matched profile photo URL: [STREAM::match]"
        log local0. "CLIENT_IP:$CLIENT_IP - STREAM::expression:\"@$MYSITE_HTTP_80@$MYSITE_HTTPS@ @$MYSITE_HTTP@$MYSITE_HTTPS@\" - REQUESTED_URL:$REQUESTED_URL"
    }
}