As part of our internal vulnerability scanning, we discovered that when using the built-in redirect to go from HTTP to HTTPS, the redirect exposes the internal IP address of the HTTPS Virtual service.
We created the redirect service by setting "Rewrite Rules" to HTTPS from within the HTTPS virtual service. This automatically creates a "redirect service" in the list of Virtual services.
Using a packet capture software such as Burp Suite, one can load the HTTP address of the site. Then, by eliminating the 'host' header of the request and forwarding the request to the LM, the LM responds with a 302 response which includes the Internal IP address of the virtual service. For Apache web servers, it is recommended to add a FQDN for the ServerName directive. Is there any way to accommodate this type of fix for the LoadMaster? Is there a way to customize the 302 response so that it does not reveal the internal address?
We created the redirect service by setting "Rewrite Rules" to HTTPS from within the HTTPS virtual service. This automatically creates a "redirect service" in the list of Virtual services.
Using a packet capture software such as Burp Suite, one can load the HTTP address of the site. Then, by eliminating the 'host' header of the request and forwarding the request to the LM, the LM responds with a 302 response which includes the Internal IP address of the virtual service. For Apache web servers, it is recommended to add a FQDN for the ServerName directive. Is there any way to accommodate this type of fix for the LoadMaster? Is there a way to customize the 302 response so that it does not reveal the internal address?