For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nick_T1's avatar
Nick_T1
Icon for Nimbostratus rankNimbostratus
Feb 18, 2016

Stripping headers on response depending on client IP

We're looking to strip some internal headers at the bigip if the client IP is not internal. We could do this in iRules, but it seemed like a good use case for a more rigid/optimized policy. Would it ...
iRules
LTM
security
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Feb 18, 2016

Hi Nick,

you can also use LTM Policy for this specific task. Its basically just a personal preference in this case... 😉

 

itacs@(f5-02)(cfg-sync Standalone)(Active)(/Common)(tmos) list /ltm policy Test
ltm policy Test {
    controls { forwarding }
    requires { http tcp }
    rules {
        Rule1 {
            actions {
                0 {
                    http-header
                    remove
                    name SILLY_HEADER1
                }
                1 {
                    http-header
                    remove
                    name SILLY_HEADER2
                }
                2 {
                    http-header
                    remove
                    name SILLY_HEADER3
                }
                3 {
                    http-header
                    remove
                    name SILLY_HEADER4
                }
            }
            conditions {
                0 {
                    tcp
                    address
                    not
                    matches
                    values { 10.0.0.0/8 172.16.0.0/12 192.168.0.0/24 }
                }
            }
            ordinal 1
        }
    }
    strategy first-match
}
itacs@(f5-02)(cfg-sync Standalone)(Active)(/Common)(tmos)

 

Update: Forgot to negate the condition, so that the headers are getting removed for external clients... 😉

Cheers, Kai