Unofficial - F5 Certification Exam Prep Material > F5 301A - BIG-IP LTM Specialist Labs - Created 11/01/19 > Lab 2 - Profiles Source | Edit on
Securing Web Applications¶
Securing web applications with the HTTP profile¶
Here you are going to perform some custom profile alterations to help secure the web site. You are going to make sure hackers cannot see error codes returned, scrub the response headers of extraneous and potentially dangerous information and encrypt the persistence cookie to prevent tampering.
Obtain the cookie name and information by browsing to https://10.1.10.115/ and open the Display Cookie. The cookie name is everything in front of the = sign. How BIG-IP creates cookies for Cookie Insert persistence can be found at https://support.f5.com/csp/article/K6917. After reading this article you could craft a cookie to hit a particular server.
Q1. What is the cookie name? Note the information after the cookie.
Let’s begin by creating a custom HTTP profile.
Name: | secure-my-website | |
---|---|---|
Set the Fallback Host | http://www.f5.com | |
Fallback on Error Codes | 404 500-505 | The fallback site if an error is received |
Response Headers Allowed | Content-Type Set-Cookie Location | |
Encrypt Cookies | <cookie name you obtained earlier> | |
Cookie Encryption Passphrase | xcookie | |
Confirm Cookie Encryption Passphrase | xcookie | |
Insert XForwarded For | Enable | Example of modify headers |
Q2. What is in the X-Forwarded-For header? Why might you want to enable it?
Attach your new HTTP Profile to your secure_vs virtual server
Browse to https://10.1.10.115.
Do the web pages appear normal? On the web page under, HTTP Request and Response Information select the Request and Response Headers link.
Open a new browser to http://10.1.10.100. On the web page under, HTTP Request and Response Information select the Request and Response Headers link.
Q3. Are they the same? What is different?
Now browse to a bad page.
For example, https://10.1.10.115/badpage
Q4. What is the result?
Under, HTTP Request and Response Information select the Display Cookie link.
Q5. What is different from the cookie at the start of the task?
Note
Even though the data is encrypted between your browser and the virtual server, the LTM can still modify the data (i.e. resource cloaking) because the data is unencrypted and decompressed within TMOS.
Using iRules¶
By now you should be thoroughly sick of trying to remember to type https:// in every time you want to access your secure web site. Not only is that easily rectify on the BIG-IP, but it is much more secure than opening up port 80 on your secure web servers, so that they can perform a redirect.
While it would be easy to write your own redirect iRule, you note F5 has one prebuilt that you can use.
Example of simple redirect iRule:
when HTTP_REQUEST {
HTTP::redirect https://[HTTP::host][HTTP::uri]
}
Go to Local Traffic > iRules
In the search box at the top of the list of iRules, type redirect and hit Search.
Open the iRule and take a quick look. This is a F5 Verified and F5 supported iRule.
Create your HTTP-to-HTTPS redirect virtual server.
Go to Local Traffic > Virtual Servers and create a new virtual server.
Name | redirect_to_secure_vs |
---|---|
Destination | <same IP as secure_vs> |
Service Port | 80 (HTTP) |
Source Address Translation | None <you don’t need this, this traffic is going nowhere> |
iRule | _sys_https_redirect |
Hit Finished
WOW! That didn’t go too far did it. You just got an error. If you are going to redirect the HTTP request you need the HOST and URI information and that requires looking into the HTTP protocol.
Test your new virtual by going to http://10.1.10.115.
You should be redirected to the HTTPS virtual server.
As you can see very small iRules can make a very big difference. On the exam, you may be asked to identify the iRule that would best solve an issue. So, you should be familiar with basic iRules syntax.