Forum Discussion

Mike_Singer_599's avatar
Mike_Singer_599
Icon for Nimbostratus rankNimbostratus
Jan 11, 2012

Removing server header from http to https redirect

We have been asked to remove this by a client based on a pentest. I can find referernces to the noserver option in other posts but not the complete irule that incorrpates that w/ the redirected command. We are just using a redirect command that is very simple as follows:

 

 

when HTTP_REQUEST { HTTP::redirect "https://[HTTP::host][HTTP::uri]" }

 

 

Does any know what a proper irule would be that does this base redirect w/o adding the server header?

 

 

Thanks in advance.

3 Replies

  • can you try this?

    [root@ve1023:Active] config  b virtual bar list
    virtual bar {
       destination 172.28.19.79:80
       ip protocol 6
       rules myrule
       profiles {
          http {}
          tcp {}
       }
    }
    [root@ve1023:Active] config  b rule myrule list
    rule myrule {
       when HTTP_REQUEST {
            HTTP::respond 302 noserver Location "https://[HTTP::host][HTTP::uri]"
    }
    }
    
    [root@ve1023:Active] config  curl -I http://172.28.19.79/test
    HTTP/1.0 302 Found
    Location: https://172.28.19.79/test
    Connection: Keep-Alive
    Content-Length: 0
    
    
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    To clarify, the iRule portion of Nitass post above is just:

    
    when HTTP_REQUEST {
      HTTP::respond 302 noserver Location "https://[HTTP::host][HTTP::uri]"
    }
    

    And he's right on, as usual. The idea is that you are setting a very specific response rather than using the pre-formatted redirect. The other option would be to specifically remove the header in question somewhere later down the line, like HTTP_REQUEST_SEND or the like, which is probably more involved.

    Colin