Stripping headers on response depending on client IP

Hi Nick,

you may try this iRule as a starting point...

when CLIENT_ACCEPTED {
    if { ( [IP::addr [IP::client_addr] equals 10.0.0.0/8] ) or
         ( [IP::addr [IP::client_addr] equals 172.16.0.0/12] ) or
         ( [IP::addr [IP::client_addr] equals 192.168.0.0/16] ) } then {
        set external_client 0
    } else {
        set external_client 1
    }
}
when HTTP_RESPONSE {
    if { $external_client } then {
        HTTP::header remove SILLY_HEADER1
        HTTP::header remove SILLY_HEADER2
        HTTP::header remove SILLY_HEADER3
        HTTP::header remove SILLY_HEADER4
    }
}

Note: If you internal Network is more complex, then you may also checkout the [class match] command using IP address based datagroups.

Update: Corrected the code to strip the header for external clients.

Cheers, Kai

Hi Nick,

you can also use LTM Policy for this specific task. Its basically just a personal preference in this case... 😉

itacs@(f5-02)(cfg-sync Standalone)(Active)(/Common)(tmos) list /ltm policy Test
ltm policy Test {
    controls { forwarding }
    requires { http tcp }
    rules {
        Rule1 {
            actions {
                0 {
                    http-header
                    remove
                    name SILLY_HEADER1
                }
                1 {
                    http-header
                    remove
                    name SILLY_HEADER2
                }
                2 {
                    http-header
                    remove
                    name SILLY_HEADER3
                }
                3 {
                    http-header
                    remove
                    name SILLY_HEADER4
                }
            }
            conditions {
                0 {
                    tcp
                    address
                    not
                    matches
                    values { 10.0.0.0/8 172.16.0.0/12 192.168.0.0/24 }
                }
            }
            ordinal 1
        }
    }
    strategy first-match
}
itacs@(f5-02)(cfg-sync Standalone)(Active)(/Common)(tmos) 

Update: Forgot to negate the condition, so that the headers are getting removed for external clients... 😉

Cheers, Kai

Here is the sample rule that I came up with. Very similar to that which was posted by Kai. However, I modified the conditions slightly as we don't know that the headers will exist for every request, so instead I opted to loop through all headers by name and delete any that match a switch statement. I don't know why I didn't think to try the address as 10.0.0.0/8 or similar, as we already employ that in a class file for a similar purpose elsewhere. Thanks for the reminder and response.

when HTTP_REQUEST {
  check for internal state
  if {([class match [IP::client_addr] equals private_net])}{
    set internal_client 1
  } else {
    set internal_client 0
  }
}
when HTTP_RESPONSE {   
  if {!($internal_client)}{
    foreach header_name [HTTP::header names] {
      switch [string tolower $header_name] {
        "badheader1" -
        "itwasfordebugging" -
        "whyohwhy" { HTTP::header remove $header_name }
      } 
    } 
  }
}