Applies To:

Show Versions Show Versions

Manual Chapter: Working with HTTP Classes
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

An HTTP class with application security enabled links local traffic components with application security components. You can create one or more HTTP classes, and then assign them as resources for one or more local traffic virtual servers. When the virtual server receives an HTTP request, it applies the HTTP classes, in the listed order, and if the traffic classifiers find a match in the request, the system routes the request to the Application Security Manager.
In the HTTP class, you can use the traffic classifiers to specify which incoming HTTP traffic to route through the Application Security Manager. The traffic classifiers use different elements of an HTTP request, including host header values, URI paths, other headers and values, and cookie names (or a combination of these), to determine which requests go to the Application Security Manager. For requests that match the traffic classifiers, the Application Security Manager applies the active security policy to the traffic.
You can create an HTTP class manually, as described in this chapter, or let the system create the HTTP class for you when you create a security policy using the Deployment wizard. For complex applications, you can create more than one HTTP class, for example, if you need to apply different security policies to different parts of the application.
A basic HTTP class with application security enabled routes all HTTP traffic through the Application Security Manager. You can manually create a basic HTTP class for a security policy.
1.
On the Main tab, expand Local Traffic, point to Profiles, Protocol, then click HTTP Class.
The HTTP Class screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
Note: The corresponding security policy also uses this name.
4.
Make sure that the Application Security setting is set to Enabled. If it is not, select the Custom check box to enable the setting, and then change it.
6.
To the right of the Actions area, select the Custom check box to enable Actions options.
7.
For the Send To setting, select Pool from the list.
The screen refreshes, and the action settings are all enabled.
8.
For the Pool setting, select the local traffic pool that contains the web server resources for your web application.
Note: If you have not already configured a local traffic pool, refer to Defining a local traffic pool.
9.
Click Finished.
The system adds the new HTTP class. It also automatically creates a security policy with the same name.
a)
Expand Application Security, then click Security Policies.
The Active Policies screen opens.
b)
For the HTTP class that you created, click Configure Security Policy and follow through the Deployment wizard.
You can use the traffic classifiers in the HTTP class to specify exactly which traffic goes through the Application Security Manager before it reaches the web application resources. The traffic classifiers perform pattern matching against HTTP requests, based either on wildcard strings or on regular expressions. When the traffic classifier finds a match in an HTTP request, the system forwards that request to the Application Security Manager. The Application Security Manager then applies the active security policy to the request.
The traffic classifiers perform pattern matching using either literal strings or regular expressions. The literal strings can include wildcard characters, such as asterisk (*) or question mark (?). The regular expressions use the Tcl regular expression syntax. You can use a mixture of matching types within each traffic classifier.
Note: Pattern-matching traffic classifiers are case-sensitive; that is, www.F5.com is not the same as www.f5.com. See the F5 Dev Central web site, http://devcentral.f5.com, for information on Tcl expressions and syntax.
You can configure one or more traffic classifiers in each HTTP class. If the traffic classifier has multiple matching objects within its list, the system looks for a match until it finds one, and forwards the request when it does. If you configure more than one type of classifier (for example, you configure both a URI path and a header traffic classifier), the system performs the pattern matching and forwards to the Application Security Manager only the traffic that matches both traffic classifier types. If you configure multiple entries within each traffic classifier list, the system performs the pattern matching until it finds a match.
You can use the Hosts traffic classifier to specify hosts whose traffic you want to direct through the Application Security Manager. When you use the Hosts traffic classifier, the system performs pattern matching against the information contained in the Host header in a request.
Tip: Merely by configuring the valid host headers for the web application, you acquire immunity to many of the worms that are spread by an IP address as a value in the Host header.
1.
On the Main tab, expand Local Traffic, point to Profiles, Protocol, then click HTTP Class.
The HTTP Class screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
4.
For the Configuration setting, select the Custom check box to enable the Configuration options.
5.
For the Hosts setting, select Match only.
The screen refreshes, and you see the Host List setting.
6.
Add hosts to the Host List as needed:
a)
In the Host field, type the name of the host for which the system routes HTTP traffic through the Application Security Manager.
b)
For Entry Type, select Pattern String or Regular Expression (regex).
c)
Click Add.
The host is added to the list.
8.
Click Finished.
The system adds the new HTTP class. It also automatically creates a security policy with the same name.
a)
Expand Application Security, then click Security Policies.
The Active Policies screen opens.
b)
For the HTTP class that you created, click Configure Security Policy and follow through the Deployment wizard.
You can use the URI Paths traffic classifier to specify one or more URI paths whose requests you want to direct through the Application Security Manager. When you use the URI Paths traffic classifier, the system performs pattern matching against the URI path in a request.
1.
On the Main tab, expand Local Traffic, point to Profiles, Protocol, then click HTTP Class.
The HTTP Class screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
4.
For the Configuration setting, select the Custom check box to enable the Configuration options.
5.
For the URI Paths setting, select Match only.
The screen refreshes, and you see the URI Path List setting.
6.
Add URIs to the URI Path List as needed.
a)
In the URI Path field, type the URI path for which the system routes HTTP traffic through the Application Security Manager.
b)
For Entry Type, select Pattern String or Regular Expression (regex).
c)
Click Add.
The URI is added to the list.
8.
Click Finished.
The system adds the new HTTP class. It also automatically creates a security policy with the same name.
a)
Expand Application Security, then click Security Policies.
The Active Policies screen opens.
b)
For the HTTP class that you created, click Configure Security Policy and follow through the Deployment wizard.
You can use the Headers traffic classifier to specify one or more headers whose associated requests you want to direct through the Application Security Manager. When you use the Headers traffic classifier, the system performs pattern matching against the headers and their values in a request.
Note: If you want to classify traffic using the Cookie header, use the Cookies traffic classifier instead of the Headers traffic classifier. See Classifying traffic using cookies, for more information.
1.
On the Main tab, expand Local Traffic, point to Profiles, Protocol, then click HTTP Class.
The HTTP Class screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
4.
Above and on the right of the Configuration area, select the Custom check box to enable the Configuration options.
5.
For the Headers setting, select Match Only.
The screen refreshes, and you see the Header List setting.
6.
a)
In the Header field, type the header. Include the colon when you add headers to this list, for example: User-Agent:<value>.
b)
For Entry Type, select Pattern String or Regular Expression (regex).
When you select Regular Expression (regex), the system prepends (regex) when you add the object to the list.
c)
Click Add.
The header is added to the list.
8.
Click Finished.
The system adds the new HTTP class. It also automatically creates a security policy with the same name.
a)
Expand Application Security, then click Security Policies.
The Active Policies screen opens.
b)
For the HTTP class that you created, click Configure Security Policy and follow through the Deployment wizard.
You can use the Cookies traffic classifier to specify one or more cookies whose associated requests you want to direct through the Application Security Manager. When you use the Cookies traffic classifier, the system performs pattern matching against the cookie name information in the Cookie header in a request.
1.
On the Main tab, expand Local Traffic, point to Profiles, Protocol, then click HTTP Class.
The HTTP Class screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
4.
For the Configuration setting, select the Custom check box to enable the Configuration options.
5.
For the Cookies setting, select Match Only.
The screen refreshes, and you see the Cookie List setting.
6.
Add cookie names to the Cookie List as needed:
a)
In the Cookie field, type the cookie data.
b)
For Entry Type, select Pattern String or Regular Expression (regex).
c)
Click Add.
The cookie is added to the list.
8.
Click Finished.
The system adds the new HTTP class. It also automatically creates a security policy with the same name.
a)
Expand Application Security, then click Security Policies.
The Active Policies screen opens.
b)
For the HTTP class that you created, click Configure Security Policy and follow through the Deployment wizard.
The actions of the HTTP class designate what the system does with the traffic when the traffic matches one or more of the traffic classifier criteria. The actions for the HTTP class are as follows.
None
When you use the none action, the system does nothing with the traffic within the context of this HTTP class. The system may process the request according to other settings for the virtual server, for example, forward the request to the virtual servers default pool.
Send to pool
When you use the send to pool action, the system sends the traffic to the local traffic pool specified in the Pool setting. In this case, traffic is not sent to the Application Security Manager, nor to the pool specified in the virtual server (unless it is the same pool).
Redirect to another resource
When you use the redirect action, the system sends any traffic that matches (based on the full HTTP URI) to another resource on the network. You can use Tcl expressions to create a custom redirection. See the F5 Dev Central web site, http://devcentral.f5.com, for information on Tcl expressions and syntax.
1.
On the Main tab, expand Local Traffic, point to Profiles, Protocol, then click HTTP Class.
The HTTP Class screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
4.
For the Configuration setting, select the Custom check box to enable the Configuration options.
6.
Above the Actions area, select the Custom check box to enable the Actions options.
7.
For the Send To setting, specify what you want the system to do with the traffic related to this HTTP class. See the online help for assistance with specific screen elements.
8.
Click Finished.
The system adds the new HTTP class. It also automatically creates a security policy with the same name.
a)
Expand Application Security, then click Security Policies.
The Active Policies screen opens.
b)
For the HTTP class that you created, click Configure Security Policy and follow through the Deployment wizard.
You can use the Rewrite URI action to rewrite a URI without sending an HTTP redirect to the requesting client. For example, an ISP provider may host a site that is composed of different web applications, that is, a secure store application and a general information application. To the client, these two applications are the same site, but on the server side they are different applications. Using the Rewrite URI action transparently redirects the client to the appropriate application.
You use Tcl expressions for this setting. If you use a static URI, the system maps the static URI for every incoming request. For details on using Tcl expressions, and Tcl syntax, see the F5 Networks Dev Central web site, http://devcentral.f5.com.
Note: The Rewrite URI setting is available only when you select None or Pool for the Send To setting, and you are using the Hosts or URI Paths traffic classifiers.
1.
On the Main tab, expand Local Traffic, point to Profiles, Protocol, then click HTTP Class.
The HTTP Class screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
4.
For the Configuration setting, select the Custom check box to enable the Configuration options.
6.
Above the Actions area, select the Custom check box to enable Actions options.
7.
For the Send To setting, select Pool from the list.
The screen refreshes and shows more options.
8.
For the Pool setting, select the name of the local traffic pool to which you want the system to send the traffic.
9.
For the Rewrite URI setting, type the Tcl expression that represents the URI that the system inserts in the request to replace the existing URI.
10.
Click Finished.
The system adds the new HTTP class. It also automatically creates a security policy with the same name.
a)
Expand Application Security, then click Security Policies.
The Active Policies screen opens.
b)
For the HTTP class that you created, click Configure Security Policy and follow through the Deployment wizard.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)