For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

bookbinder_1115's avatar
bookbinder_1115
Icon for Nimbostratus rankNimbostratus
Sep 21, 2010

Using the F5 as a Reverse Proxy for RSA SecurID Self Service

Hey Everyone, I am new to the F5 load balancer and iRules. From what I understand the F5 load balancer has the ability to act as a reverse proxy. In order to make the RSA device accessible from the w...
application delivery
dev
devops
iRules
Stefan_Klotz's avatar
Stefan_Klotz
Icon for Cumulonimbus rankCumulonimbus
Mar 02, 2015

In the meanwhile I found the issue. The Host-header don't need to be remove, but needs to be replaced with the FQDN of the server including its port.

I'm using now the following iRule:

when HTTP_REQUEST {
    if { not [class match [string tolower [HTTP::uri]] starts_with _allowed_uris] } {
        HTTP::respond 301 Location "https://[HTTP::host]/console-selfservice/"
    } else {
         Prevent the server from sending compressed responses as LTM does not decompress them 
        HTTP::header remove "Accept-Encoding" 
    }
}
when HTTP_REQUEST_SEND {
     Need to force the host header replacement and HTTP:: commands
     into the clientside context as the HTTP_REQUEST_SEND event
     is in the serverside context
    clientside {
         verify the selected server IP to specify its FQDN
        if { [IP::addr [LB::server addr] equals ] } {
            set server_hostname 
        } else {
            set server_hostname 
        }
        set server_port [LB::server port]
         Replace the host header value
        HTTP::header replace Host $server_hostname:$server_port
    }
}
when HTTP_RESPONSE {
    if { [HTTP::header exists Location] } {
        HTTP::header replace Location [string map -nocase {":7004" "" ":7004" ""} [HTTP::header Location]]
    }
}

Maybe this will help someone else as well.

Ciao Stefan 🙂