For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

PG0581's avatar
PG0581
Icon for Cirrus rankCirrus
Apr 28, 2022
Solved

Host header injection iRule

I would like to create an iRule that whitelists based on the HTTP host header value, and if that matches redirect to HTTPS. 

Can someone confirm if what I have will work? 

 

 

ltm rule whitelist-http-host-header {
    when HTTP_REQUEST {
        if { [string tolower [HTTP::header values "Host"]] equals "abc.com"} {
            redirect to "HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]"
        } else {[HTTP::respond 400 content "Bad Request" "Content-Type" "text/html"} 

        }
    }

 

 

 

security
  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    Apr 28, 2022

    Hi PG0581,

    when HTTP_REQUEST {
	if { [HTTP::host] eq "abc.com" } {
		HTTP::redirect "https://abc.com[HTTP::uri]"
		return
	} else {
		HTTP::respond 400 content "Bad Request" "Content-Type" "text/html"
	}
}

2 Replies

  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    Icon for MVP rankMVP
    Apr 28, 2022

    Hi PG0581,

    when HTTP_REQUEST {
	if { [HTTP::host] eq "abc.com" } {
		HTTP::redirect "https://abc.com[HTTP::uri]"
		return
	} else {
		HTTP::respond 400 content "Bad Request" "Content-Type" "text/html"
	}
}