Forum Discussion

James_Thomson's avatar
James_Thomson
Icon for Employee rankEmployee
Jan 06, 2005

Make sure client cert data passed in header to server isn't coming from client?

When BigIP is configured for client side certs and is extracting fields from the client cert and placing them in http headers to pass downstream, does it have any way of determining or checking that the headers it passed are the ones it generated and not something that somehow got passed thru the box?

 

 

For example, if I had a rule that would search client certificate information and pull out the username and DN and then create an http header called "myheader" and insert that data in there, could I preface that rule with a piece that should first, check to see if someone is trying to send an http header "myheader" and delete it if it exists?

 

 

Would it be easier to create an http profile and just have it erased there?
application delivery
dev
devops
iRules

2 Replies

Sort By
  • bl0ndie_127134's avatar
    bl0ndie_127134
    Historic F5 Account
    Jan 07, 2005
    You can use the rule 
    HTTP::header sanitize [allowed header names]
    to create a white list of headers and strip out all but those headers from the request or response. Note that the rule will not remove the essential/required HTTP headers. 

    set allowed_headers {goodHeader1 goodHeader2 goodHeader2} 
 HTTP::header sanitize $allowed_headers

    The previous example works well if know all the allowed headers ahead of time. Here is a slightly longer version that sanitizes using a black list of headers. 

    set http_headers [HTTP::header names] 
 for { } { 1 } { } { 
    set index [lsearch $http_headers "badHeader"] 
    if {$index != -1} { 
        set http_headers [lreplace $http_headers $index $index ]  
    } 
    else { 
        break 
     } 
 } 
  
 HTTP::header sanitize $header_names
  • Ravi_Natarajan_'s avatar
    Ravi_Natarajan_
    Historic F5 Account
    Mar 09, 2006
    I guess doing it with an http profile would be efficient:

     

     

    profile http FP_http {

     

    defaults from http

     

    header erase "myheader"

     

    }