1

We setup our website to run on the play framework. It is running http on 9000. We can access the site by going to http://servername.domain.com:9000 where servername is the name of the webserver.

We also setup our F5 loadbalancer to redirect all traffic from http to https and traffic from port 443 to 9000. We setup a domain name for the F5, vip.domain.com which connects to this webserver on the backend. We took out the other webservers out of the pool to debug so there's only 1 server in the pool currently.

When I go to the site on Chrome, if we go to http://vip.domain.com, the F5 redirects us to https://vip.domain.com and we get the green padlock and it says "Secure".

When I enter http://server.domain.com:9000, it says "Not Secure" and we don't get the padlock.

Someone did a security scan and said we are sending things in the clear unencrypted. We've done all our testing and told everyone to go to http://vip.domain.com, but I guess the scan used http://servername.domain.com:9000.

Is there a way to make http://servername.domain.com:9000 not work but yet still leave port 9000 open for http://vip.domain.com? We have access to make changes to both the server and VIP if needed.

Classified
  • 163
  • 2
  • 6

2 Answers2

3

This is simple to do with an iRule:

when HTTP_REQUEST {
  if { [HTTP::host] equals "servername.domain.com" } {
    # send a TCP reset
    reject

    # alternatively, redirect somewhere else
    # HTTP::redirect "http://www.somedomainyoufindentertaining.com"
  }     
}

(Almost verbatim from https://devcentral.f5.com/questions/block-domain-redirect)

Just reference this in the virtual server handling the port 9000 traffic. You can also get more creative with the condition deciding whether or not to reject the connection.

Brandon Xavier
  • 2,022
  • 13
  • 15
2

The simplest way is to set up a firewall that will block the port 9000 from any host other than the loadbalancer IP (provided it's not dynamic)

simple rules :

iptables -A INPUT -p tcp --dport 9000 -m comment --comment 'allow LB traffic' -s LB.IP.ADDR.HERE -j ACCEPT
iptables -A INPUT -p tcp --dport 9000 -m comment --comment 'drop all other requests to 9000' -j DROP

These will :

  • allow port 9000 from LB machine (you can add more rules for more LBs
  • block other traffic to port 9000

The even better way would be detecting in you application which domain is used in the connection, and make a redirect to the secure address, when the wrong one is used. I'm not sure about your framework/application, but most of the bigger ones provide such mechanisms.

bocian85
  • 822
  • 5
  • 10
  • Certainly an iptables solution is valid, but if he has an F5 in place, might as well use it . . . – Brandon Xavier Sep 19 '17 at 21:54
  • 1
    I think the problem here guys is not F5 configuration but the fact you can access the application on the target server bypassing the F5 without any redirection, how can an iRule fix that ? Unsless i don't understand something here. – bocian85 Sep 19 '17 at 22:02
  • F5 iRules give him the ability to inspect the HTTP request and act upon it - such as in my example ("reject the connection on port 9000 if the domain was servername.domain.com"). This is an extremely trivial example - F5s can do very complex iRule processing in a carrier grade environment. – Brandon Xavier Sep 19 '17 at 22:04
  • If that is also on the F5 infrastructure then probably you are right. – bocian85 Sep 19 '17 at 22:05
  • well then read the OP question again, its `http://server.domain.com:9000` and `http://vip.domain.com` is on F5, no mention of where the `http://server.domain.com` is – bocian85 Sep 19 '17 at 22:08
  • It's a matter of how the virtual servers are setup on the F5. He may or may not be using a single VS for both types of traffic. – Brandon Xavier Sep 19 '17 at 22:10
  • exactly, we miss the last detail piece to suggest the working solution – bocian85 Sep 19 '17 at 22:10
  • Thank you all for your interest and help. I will let the sys admin know what you said about the F5 rules. That and I don't have access to the F5 to create these rules. With that said, server.domain.com is behind the F5 so if someone goes to vip.domain.com, the F5 will direct them to server.domain.com:9000, reverse proxy so traffic on VIP:443->server:9000 (mistyped in the original question). – Classified Sep 19 '17 at 22:59
  • If both URLs are handled by the F5, this one will pass its own IP address to the target server, so you cannot filter on the F5 IP. If `X-Forwarded-For` is set on the F5 then the target server will only see client IP, you cannot filter on this neither. In this case `iptables` do not seem to be relevant here. The target server will only see F5 IP on its heartbeat traffic. An iRule filter based on server name seems a good option. – krisFR Sep 19 '17 at 23:20
  • So I brought this posting up to our Sys admins. They said not all traffic goes thru the F5. Ppl can circumvent the F5 and go directly to the server so iptables is the way to do. We haven't implemented this answer yet since there are other issues we're dealing with but it seems like this is the way we'll need to use going forward. Thanks for the answer. – Classified Oct 05 '17 at 22:24
  • use irules or content policies. iptables on F5 BIGIP only work for "management/control" traffic, not for for "dataplane" traffic – Alec Istomin Oct 19 '17 at 00:04