We would like to consult on the possibility of performing a URL rewrite with the use of an iRule for domain.com. it’s not a good practice for our homepage to show as http://www.domain.com/home/default.htm, the ideal way is to only show www.domain.com which is good for search engine crawlers and improves our search rankings. Would something like this work? when HTTP_RESPONSE { if { [HTTP::status] starts_with "3" } { set origRedir [HTTP::header Location] set newRedir [string map {"/home/default.htm" "" } [HTTP::header Location]] HTTP::header replace Location $newRedir log local0. "Original redirect: $origRedir." log local0. "Rewritten redirect $newRedir" } }

You could do something like the following: when HTTP_REQUEST { if { [HTTP::host] eq "www.domain.com" } { HTTP::uri /home/default.htm } } This is a very simple example of how to take an ordinary request of http://www.domain.com/ and pass it to the web server with the full uri but still hid it from the client's URL Locator. That is of course the if there is something on the domain that redirects it back to using the full URI. Hope this helps CB this would take the request www.domain.com

You'd probably want to add a check so that you only rewrite requests to a URI of / to /home/default.htm: when HTTP_REQUEST { Check if requested URI is / and requested host is www.example.com if {[HTTP::uri] eq "/" and [string tolower [HTTP::host]] eq "www.example.com" Rewrite URI to /home/default.htm HTTP::uri "/home/default.htm" } } Aaron

Thank You for taking time to respond! I'm actually attempting to do just the opposite. (Sorry, I must have made this confusing). When server response to the client with URI "/home/default.htm" I want to make it look for the client like it come from "/". So that client never know what is the default URI for the site is.

First, I think the rule will accomplish that. I assume that currently, the client makes a request to www.example.com/, the server redirects them to http://www.example.com/home/default.htm, the browser follows the redirect updating the address bar to http://www.example.com/home/default.htm and displays the default.htm content. So this iRule prevents the server from having to redirect the client from / to /home/default.htm by rewriting the URI before the request is sent to the server. If you use your original approach to rewrite the application's redirect from http://www.example.com/home/default.htm to http://www.example.com/, the client will probably get redirected in a loop from http://www.example.com/home/ to http://www.example.com/home/default.htm and back. Out of curiosity, why are you trying to do this? Is it for ease of use or based on some security concern? Aaron

Application team asked us to do this because getting www.site.com instead of full URI is good for search engine crawlers and improves site search rankings. True or not we got a request and now need to implement it. I see what you are saying about the redirect happening in the loop. That making it an interesting problem. Clint requests www.site.com Server response with www.site.com/home/default.htm Client then requests www.site.com/home/default.htm I need LTM to intercept www.site.com and send it to /home/default.htm on the background, but how do I prevent client from seeing /home/default.htm when server response back with the page?

Responce URI Masking/Hiding

14 Replies

hooleylist
Cirrostratus
Mar 27, 2009
Hi Gregg,

Why are you trying to hide the path? Is it for security purposes? Or some other reason?

1 isn't really possible. A normal session flow for HTTP would be a client makes a request to /. The web application sends back an HTML response with links in it. If the client clicks on a link, the browser address bar is updated to the new location and the browser makes a request to the web application with the new location set in the request line. You could create a one to one mapping of the URI a client requests to a backend URI, but you cannot say that you want to have the client make a request to /home but have an iRule dynamically rewrite the URI to different paths.

2 is possible to try, but it's easily bypassed. You could use an iRule to check if the path starts with /home and allow access to the pool and for all other requests, redirect the client. However, if a client made a request to /home/../other_directory/ it would pass the iRule logic and be processed as /other_directory/ by the web server.

when HTTP_REQUEST { Check if requested path doesn't start with /home if {not ([HTTP::path] starts_with "/home")}{ Redirect the client to /home HTTP::redirect "http://[HTTP::host]/home" OR Respond with an access denied message HTTP::respond 403 content {some html explaining the response} } }

Aaron
gGnome_32510
Nimbostratus
Mar 31, 2009
Hmmm. I replied to this days ago, but my reply does not appear to have posted. Oh well, another puzzle for the noob. Thanks again for your response, Aaron.

Security is the primary concern, and in that context the less info sent to the user the better. 1 isn't really a requirement, it is more of a goal. I would prefer to hide the paths so the visitor sees "/home" as "/", but there is no value in my hiding /home if its subdirectories are going to 'uncloak' it any way.

If I am going to leave the path visible, the 2 is all the more relevent. I need to pin the visitors within /home and the code you provided above appears to be on track, but you say that it is easily bypassed. I basically understand the iRule, but would you mind explaining further how someone would bypass it??
dennypayne
Employee
Mar 31, 2009
I think Aaron means that a user could simply type the full path with the ".." which would track back up the directory tree and get into those other directories, because the iRule would only fire if /home wasn't in the request. Of course they would have to know to try that, but forced browsing is a popular attack method.

FWIW, the ASM module can restrict traffic flow to the paths you specify which would take care of your 2.

Denny
gGnome_32510
Nimbostratus
Apr 03, 2009
Denny, Thanks for the suggestion. I will look into the ASM. In the meantime, much thanks to both you and Aaron. This gives me a reasonably good start.

-Gregg

Forum Discussion

Responce URI Masking/Hiding

14 Replies

Recent Discussions

Rundeck ansible F5 errors

What is the meaning is 52% block in WAF

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

Help with iRule to mask/hide User Personal Information in HTTP Response

URL Browser Mask/Hide with redirect

Hide uri on client side

Regex for dynamic URI

iRule exclude URI