Forum Discussion

siru_129409's avatar
siru_129409
Icon for Nimbostratus rankNimbostratus
Aug 03, 2015

Masking / Removing a portion of url in user browser in F5 APM

Hi Guyz

 

I have setup F5 APM and published some application, Remote Desktop and network access on a full webtop and it is working fine.

 

Now i stuck with one scenario. i have to hide/mask/remove a portion of URL which is showing on the user browser.

 

currently in user browser showing following url

 

https://192.168.5.76/vdesk/webtop.eui?webtop=/Common/AMT_Admin&webtop_type=webtop_full

 

can I hide this portion (vdesk/webtop.eui?webtop=/Common/AMT_Admin&webtop_type=webtop_full) of url so that the user can see only https://192.168.5.76 in the browser.

 

is this possible.? if it is possible pleas guide me I am stuck with this for the last few days

 

Any help would be highly appreciated.

 

availability
BIG-IP Access Policy Manager (APM)
security
TMOS
TMSH

4 Replies

Sort By
  • Arnaud_Lemaire's avatar
    Arnaud_Lemaire
    Icon for Employee rankEmployee
    Aug 03, 2015

    Hi, you could try to implement an irule to store the uri in a cookie.

     

    you will need to use ACCESS::restrict_irule_events disable to be able to see those types of urls in irule.

     

    and find proper event to do the substitution .

     

  • siru_129409's avatar
    siru_129409
    Icon for Nimbostratus rankNimbostratus
    Aug 03, 2015

    Hi Thanks for your reply. I pretty new rule to irule. could you please provide any sample irule for this setup.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 03, 2015

    The issue here is that browsers don't really work that way. What is displayed in the address bar is what they're going to ask for, and to change or hide that is usually not a simple task. You could, as Arnaud suggests, write some complex code to push the URL into browser side JavaScript (and possibly cookies) and then try to make the browser doing everything asynchronously (ie. Ajax), but then you're literally rewriting the application. In fact this is exactly what Ajax (client side asynchronous JavaScript) achieves.

     

    But even if you did that, you're not really providing any real security. The client still has to make these requests and a clever user can still see exactly what's going on. Most application devs these day, long after the Ajax hype has passed, have realized that a RESTful, transparent experience is usually the best way to go.