Forum Discussion

Yiannis_CDJ_F5's avatar
Yiannis_CDJ_F5
Icon for Altostratus rankAltostratus
Aug 23, 2022

Node revealed during HTTPS CAS authentication - irule

In F5, on a specific HTTP VIP (eg VIP_TOTO 192.168.1.5), we use an iRule where we redirect several applications through the same hostname. Hostname: hosttest1.mydomain.com, resolves to the same IP as the VIP: 192.168.1.5 Some applications work as a reverse proxy and some others just perform a redirection. The problem occurs on an application that should work as a reverse proxy. Let's say the application is http://hosttest1/toto We use this iRule structure to hide the node behind hosttest1/toto +-------------------------------------------------------------+ when HTTP_REQUEST { switch [string tolower [HTTP::host]] { "hosttest1.mydomain.com" - "hosttest1" { if { ([HTTP::uri] starts_with "/toto") } { pool POOL_toto } if { ([HTTP::uri] starts_with "/example1") } { HTTP::redirect "http://example1.mydomain.com[HTTP::uri]" } etc(other application paths) etc(other application paths) } } when HTTP_RESPONSE { } } +-------------------------------------------------------------+ POOL_toto contains the server "back_end_srv.mydomain.com:7777" which requires HTTPS CAS authentication. The problem is: http://hosttest1/toto >> redirects to HTTPS CAS server then instead of having Response header location: https://cas_server/cas/login=?http://hosttest1/toto we have Response header location: https://cas_server/cas/login=?http://back_end_srv.mydomain.com:7777/toto As you see, the node is revealed in the location header URL and then, as soon as we are authenticated, we are redirected to the server back_end_srv.mydomain.com:7777. This is the only application that is using HTTPS CAS, whereas all the other applications that pass through the same hostname hosttest1, they use HTTP CAS authentication and they hide their nodes correctly(without adding configuration in the HTTP_RESPONSE of the irule). As all the applications pass from the same HTTP VIP we should modify the iRule in a way that doesn't affect the other applications. Why F5 doesn't rewrite the response location behind this HTTP VIP when a node with HTTPS CAS is used, but it is rewriting it when HTTP CAS is used? Thank you in advance.
security

4 Replies

Sort By