cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

iRules for 403 forbidden error

RichardDumag
Nimbostratus
Nimbostratus

Is it possible to create an iRule to remove a specific post request header information to avoid the 403 forbidden error that is generated from an Oracle Apex application?

 

For example the Origin information below triggers a 403 forbidden message when accessing the application using Edge, Chrome, or FireFox.

I would like to create an iRule to remove the Origin information from the header.

 

Thanks!

 

----------------------------------------------------------------------------------------------------------------------------------------------------

 

POST /apex_extprd/wwv_flow.ajax HTTP/1.1

Host: www.testapp.com

Connection: keep-alive

Content-Length: 224

sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"

Accept: */*

X-Requested-With: XMLHttpRequest

sec-ch-ua-mobile: ?0

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.73

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Origin: https://www.testapp.com

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: cors

Sec-Fetch-Dest: empty

Referer: https://www.testapp.com/apex_extprd/f?p=119:1::::::

Accept-Language: en-US,en;q=0.9

Cookie: ORA_WWV_APP_119=ORA_WWV-ubwLNBy7vUJxSlt4gD_tmjmL

X-Forwarded-For: 192.168.1.101

1 ACCEPTED SOLUTION

Hi RichardDumag,

 

You can customize http profile for erase a request header.

Local Traffic  ››  Profiles : Services : HTTP ›› http-profile ››  Request Header Erase

 

Request Header Erase: Indicates the name of an HTTP request header that the BIG-IP system removes from the client request. Only one header can be removed per pool, unless you are using LTM Policies or iRules.

 

iRule:

when HTTP_REQUEST { HTTP::header remove "Origin" }

uri based:

when HTTP_REQUEST { if { [string tolower [HTTP::uri]] equals "/apex_extprd/wwv_flow.ajax" } { HTTP::header remove "Origin" } }

 

View solution in original post

2 REPLIES 2

Hi RichardDumag,

 

You can customize http profile for erase a request header.

Local Traffic  ››  Profiles : Services : HTTP ›› http-profile ››  Request Header Erase

 

Request Header Erase: Indicates the name of an HTTP request header that the BIG-IP system removes from the client request. Only one header can be removed per pool, unless you are using LTM Policies or iRules.

 

iRule:

when HTTP_REQUEST { HTTP::header remove "Origin" }

uri based:

when HTTP_REQUEST { if { [string tolower [HTTP::uri]] equals "/apex_extprd/wwv_flow.ajax" } { HTTP::header remove "Origin" } }

 

RichardDumag
Nimbostratus
Nimbostratus

Hi Enes. Thank you for the quick response and information. The request header erase seem to have resolved our issue.

 

Richard