HTTPS header stripping

this is 10.2.4 hf3.

[root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:443
   ip protocol 6
   profiles {
      clientssl {
         clientside
      }
      http {}
      tcp {}
   }
}
[root@ve10:Active] config  b pool foo list
pool foo {
   members 200.200.200.101:80 {}
}

[root@ve10:Active] config  ssldump -Aed -nni 0.0 port 443 or port 80 -k /config/ssl/ssl.key/default.key
New TCP connection 1: 192.168.206.57(65356) <-> 172.28.19.79(443)
1 1  1349409027.6033 (0.0031)  C>SV3.1(143)  Handshake
1 2  1349409027.6033 (0.0000)  S>CV3.1(81)  Handshake
1 3  1349409027.6033 (0.0000)  S>CV3.1(953)  Handshake
1 4  1349409027.6033 (0.0000)  S>CV3.1(4)  Handshake
1 5  1349409027.6103 (0.0069)  C>SV3.1(262)  Handshake
1 6  1349409027.6103 (0.0000)  C>SV3.1(1)  ChangeCipherSpec
1 7  1349409027.6103 (0.0000)  C>SV3.1(36)  Handshake
1 8  1349409027.6249 (0.0145)  S>CV3.1(1)  ChangeCipherSpec
1 9  1349409027.6249 (0.0000)  S>CV3.1(36)  Handshake
1 10 1349409027.6432 (0.0183)  C>SV3.1(22)  Alert
1    1349409027.6432 (0.0000)  S>C  TCP FIN
1    1349409027.6432 (0.0000)  C>S  TCP RST
New TCP connection 2: 192.168.206.57(65357) <-> 172.28.19.79(443)
2 1  1349409031.1161 (0.0019)  C>SV3.1(143)  Handshake
2 2  1349409031.1162 (0.0000)  S>CV3.1(81)  Handshake
2 3  1349409031.1162 (0.0000)  S>CV3.1(953)  Handshake
2 4  1349409031.1162 (0.0000)  S>CV3.1(4)  Handshake
2 5  1349409031.1183 (0.0021)  C>SV3.1(262)  Handshake
2 6  1349409031.1183 (0.0000)  C>SV3.1(1)  ChangeCipherSpec
2 7  1349409031.1183 (0.0000)  C>SV3.1(36)  Handshake
2 8  1349409031.1270 (0.0086)  S>CV3.1(1)  ChangeCipherSpec
2 9  1349409031.1270 (0.0000)  S>CV3.1(36)  Handshake
2 10 1349409031.1311 (0.0041)  C>SV3.1(22)  Alert
2    1349409031.1311 (0.0000)  S>C  TCP FIN
2    1349409031.1311 (0.0000)  C>S  TCP RST
New TCP connection 3: 192.168.206.57(65358) <-> 172.28.19.79(443)
3 1  1349409032.2442 (0.0019)  C>SV3.1(143)  Handshake
3 2  1349409032.2442 (0.0000)  S>CV3.1(81)  Handshake
3 3  1349409032.2442 (0.0000)  S>CV3.1(953)  Handshake
3 4  1349409032.2442 (0.0000)  S>CV3.1(4)  Handshake
3 5  1349409032.2463 (0.0021)  C>SV3.1(262)  Handshake
3 6  1349409032.2463 (0.0000)  C>SV3.1(1)  ChangeCipherSpec
3 7  1349409032.2463 (0.0000)  C>SV3.1(36)  Handshake
3 8  1349409032.2551 (0.0087)  S>CV3.1(1)  ChangeCipherSpec
3 9  1349409032.2551 (0.0000)  S>CV3.1(36)  Handshake
3 10 1349409032.2572 (0.0020)  C>SV3.1(308)  application_data
    ---------------------------------------------------------------
    GET / HTTP/1.1
    Host: 172.28.19.79
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: keep-alive

    ---------------------------------------------------------------
New TCP connection 4: 200.200.200.10(65358) <-> 200.200.200.101(80)
1349409032.2602 (0.0029)  C>S
---------------------------------------------------------------
GET / HTTP/1.1
Host: 172.28.19.79
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

---------------------------------------------------------------

1349409032.2621 (0.0019)  S>C
---------------------------------------------------------------
HTTP/1.1 200 OK
Date: Fri, 05 Oct 2012 04:06:52 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
ETag: "4183e4-3e-9c564780"
Accept-Ranges: bytes
Content-Length: 62
Connection: close
Content-Type: text/html; charset=UTF-8

...snipped...
---------------------------------------------------------------

3 11 1349409032.2622 (0.0050)  S>CV3.1(344)  application_data
    ---------------------------------------------------------------
    HTTP/1.1 200 OK
    Date: Fri, 05 Oct 2012 04:06:52 GMT
    Server: Apache/2.2.3 (CentOS)
    Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
    ETag: "4183e4-3e-9c564780"
    Accept-Ranges: bytes
    Content-Length: 62
    Connection: close
    Content-Type: text/html; charset=UTF-8

...snipped...
    ---------------------------------------------------------------
4    1349409032.2622 (0.0000)  S>C  TCP FIN
3    1349409032.2622 (0.0000)  S>C  TCP FIN
3 12 1349409032.2641 (0.0018)  C>SV3.1(22)  Alert
3    1349409032.2641 (0.0000)  C>S  TCP FIN
4    1349409032.2641 (0.0019)  C>S  TCP FIN

sorry didn't get you ,

 

 

do you mean to say by default F5 strips of the headers ?

HTTPS Headers? What exactly do you mean by HTTPS headers? Do you mean NOT terminate the SSL connection and pass the SSL through to the selected Pool Member?

The SSL connections are terminated on the F5 and connection between F5 and pool member is not encrypted.

 

 

I believe there is a way you can strip off the HTTP header information as the connection go through an F5 using iRules, But my question is does F5 do this by default - This is useful in cases where sensitive information like user credentials are included in the http header.

Ah OK, so you mean HTTP headers. No headers are stripped by default unless you use HTTP Compression, in which case the Accept-Encoding: header is removed by default to avoid content being compressed by the server and the F5.

thanks :)

You're welcome.