Forum Discussion

Eduardo_SCR_151's avatar
Eduardo_SCR_151
Icon for Nimbostratus rankNimbostratus
Jan 09, 2017

Internal IP shown in http redirects

Hello. We have seen that with our configuration it is possible to gather the internal VIP address. This happens when the clients sends a request with the host header empty, and the real server answer with a redirect. In this situation, the F5 (11.5.3) rewrites the location header with the VIP address (which is not the public IP address). I would like to avoid that. In the normal use, all browsers will use a correct value in the host header, but it is possible to generate requests with an empty host header. The http profile is:

ltm profile http http_rewrite_matching {
app-service none
defaults-from http
proxy-type reverse
redirect-rewrite all
server-agent-name none

ltm profile http http {
accept-xff disabled
app-service none
basic-auth-realm none
encrypt-cookies none
enforcement {
    max-header-count 64
    max-header-size 32768
    max-requests 0
    pipeline allow
    truncated-redirects disabled
    unknown-method allow
}
fallback-host none
fallback-status-codes none
header-erase none
header-insert none
insert-xforwarded-for disabled
lws-separator none
lws-width 80
oneconnect-transformations enabled
proxy-type reverse
redirect-rewrite none
request-chunking preserve
response-chunking selective
response-headers-permitted none
server-agent-name none
sflow {
    poll-interval 0
    poll-interval-global yes
    sampling-rate 0
    sampling-rate-global yes
}
via-request preserve
via-response preserve
xff-alternative-names none

}

2 Replies

  • I am not sure if there is a way to prevent it in the response. You can drop any such request without HTTP host header using iRule.

     

  • Have you considered writing an irule to solve the issue?

    when HTTP_RESPONSE {
        if { [HTTP::is_redirect] } {
            HTTP::header replace Location [string map {"10.0.0.1" "1.1.1.1"} [HTTP::header Location]]
        }
    }
    

    /Patrik