For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nick_T1's avatar
Nick_T1
Icon for Nimbostratus rankNimbostratus
Feb 18, 2016

Stripping headers on response depending on client IP

We're looking to strip some internal headers at the bigip if the client IP is not internal. We could do this in iRules, but it seemed like a good use case for a more rigid/optimized policy. Would it ...
iRules
LTM
security
Nick_T1's avatar
Nick_T1
Icon for Nimbostratus rankNimbostratus
Feb 18, 2016

Here is the sample rule that I came up with. Very similar to that which was posted by Kai. However, I modified the conditions slightly as we don't know that the headers will exist for every request, so instead I opted to loop through all headers by name and delete any that match a switch statement. I don't know why I didn't think to try the address as 10.0.0.0/8 or similar, as we already employ that in a class file for a similar purpose elsewhere. Thanks for the reminder and response.

 

when HTTP_REQUEST {
  check for internal state
  if {([class match [IP::client_addr] equals private_net])}{
    set internal_client 1
  } else {
    set internal_client 0
  }
}
when HTTP_RESPONSE {   
  if {!($internal_client)}{
    foreach header_name [HTTP::header names] {
      switch [string tolower $header_name] {
        "badheader1" -
        "itwasfordebugging" -
        "whyohwhy" { HTTP::header remove $header_name }
      } 
    } 
  }
}