Forum Discussion
NimbostratusStripping headers on response depending on client IP
We're looking to strip some internal headers at the bigip if the client IP is not internal. We could do this in iRules, but it seemed like a good use case for a more rigid/optimized policy. Would it be possible to do something like this: strip headers by name from any response that is not an internal ip address? I can post the rule snippet we were thinking about if policy isn't possible. After clicking through the policy stuff (and checking the docs), I don't think I see an easy way to do this. We're on v11.6 at this time.
Thanks!
3 Replies
- Kai_Wilke
MVP
Hi Nick,
you may try this iRule as a starting point...
when CLIENT_ACCEPTED { if { ( [IP::addr [IP::client_addr] equals 10.0.0.0/8] ) or ( [IP::addr [IP::client_addr] equals 172.16.0.0/12] ) or ( [IP::addr [IP::client_addr] equals 192.168.0.0/16] ) } then { set external_client 0 } else { set external_client 1 } } when HTTP_RESPONSE { if { $external_client } then { HTTP::header remove SILLY_HEADER1 HTTP::header remove SILLY_HEADER2 HTTP::header remove SILLY_HEADER3 HTTP::header remove SILLY_HEADER4 } }Note: If you internal Network is more complex, then you may also checkout the [class match] command using IP address based datagroups.
Update: Corrected the code to strip the header for external clients.
Cheers, Kai
- Kai_Wilke
Hi Nick,
you can also use LTM Policy for this specific task. Its basically just a personal preference in this case... 😉
itacs@(f5-02)(cfg-sync Standalone)(Active)(/Common)(tmos) list /ltm policy Test ltm policy Test { controls { forwarding } requires { http tcp } rules { Rule1 { actions { 0 { http-header remove name SILLY_HEADER1 } 1 { http-header remove name SILLY_HEADER2 } 2 { http-header remove name SILLY_HEADER3 } 3 { http-header remove name SILLY_HEADER4 } } conditions { 0 { tcp address not matches values { 10.0.0.0/8 172.16.0.0/12 192.168.0.0/24 } } } ordinal 1 } } strategy first-match } itacs@(f5-02)(cfg-sync Standalone)(Active)(/Common)(tmos)Update: Forgot to negate the condition, so that the headers are getting removed for external clients... 😉
Cheers, Kai
Nick_T1Here is the sample rule that I came up with. Very similar to that which was posted by Kai. However, I modified the conditions slightly as we don't know that the headers will exist for every request, so instead I opted to loop through all headers by name and delete any that match a switch statement. I don't know why I didn't think to try the address as 10.0.0.0/8 or similar, as we already employ that in a class file for a similar purpose elsewhere. Thanks for the reminder and response.
when HTTP_REQUEST { check for internal state if {([class match [IP::client_addr] equals private_net])}{ set internal_client 1 } else { set internal_client 0 } } when HTTP_RESPONSE { if {!($internal_client)}{ foreach header_name [HTTP::header names] { switch [string tolower $header_name] { "badheader1" - "itwasfordebugging" - "whyohwhy" { HTTP::header remove $header_name } } } } }
