With the proliferation of web applications for e-commerce and online banking, secure customer information is sometimes used in HTTP transactions to identify the user or confirm their identity. iRules offer an excellent solution for identifying the secure information and cloaking it to protect this sensitive information from reaching the wrong hands.

In this example, we will look at how an iRule can cloak a Social Security Number in an applications flow. It is also important to keep in mind that this iRule will also apply in an HTTPS scenario by ensuring HTTPS is substituted appropriately throughout the iRule.

Please note: lines with developer comments are preceded with “#”.

class scrub_uris
For this example we will use an external data group that contains the base uris that we want to inspect for client access.

class scrub_uris {
   "/cgi-bin",
   "/account"
}


when HTTP_REQUEST
Since inspecting and buffering contents can be expensive in terms of processing, we determine whether or not we want to inspect a request based on the request URIs contained in the scrub_uris data group. We also modify the request HTTP version to ensure that the response is not chunked.

when HTTP_REQUEST {
   if { [matchclass [HTTP::uri] starts_with $::scrub_uris] } {
      set scrub_content 1
      # Don't allow data to be chunked
      if { [HTTP::version] eq "1.1" } {
         if { [HTTP::header is_keepalive] } {
            HTTP::header replace "Connection" "Keep-Alive"
         }
         HTTP::version "1.0"
      }
   } else {
      set scrub_content 0
   }
}


when HTTP_RESPONSE
Collect and buffer the entire response before it is sent to the client.

when HTTP_RESPONSE {
   if { $scrub_content } {
      if { [HTTP::header exists "Content-Length"] } {
         set content_length [HTTP::header "Content-Length"]
      } else {
         set content_length 4294967295
      }
      if { $content_length > 0 } {
         HTTP::collect $content_length
      }
   }
}

when HTTP_RESPONSE_DATA
Now that we have all the response buffered, we will inspect the content using a regular expression search and rewrite the content if it contains any social security numbers.

when HTTP_RESPONSE_DATA {
   # Find the SSN numbers
   set ssn_indices [regexp -all -inline -indices {\d{3}-\d{2}-\d{4}} [HTTP::payload]]
   # Scrub the SSN's from the response
   foreach ssn_idx $ssn_indices {
      set ssn_start [lindex $ssn_idx 0]
      set ssn_len [expr {[lindex $ssn_idx 1] - $ssn_start + 1}]
      HTTP::payload replace $ssn_start $ssn_len "xxx-xx-xxxx"
   }
}

To download the this iRule in it’s entirety, please visit DevCentral Codeshare.

If you have questions about this or how to develop iRules to address your application challenges, post them in the DevCentral iRules Forum.