2.1.6. Lab 6: Configure HTTP security¶
HTTP security profiles are used to apply basic HTTP security to a virtual server. Significantly more advanced HTTP security is available by adding ASM (Application Security Manager).
2.1.6.1. Configure An HTTP Security Profile And Apply It To The External Virtual Server¶
On the BIG-IP:
Navigation: Security > Protocol Security > Security Profiles > HTTP, then click Create.
Profile Name | demo_http_security |
---|---|
Custom | Checked |
Profile is case sensitive | Checked |
HTTP Protocol Checks | Check All |
Note
Leave all other fields using the default values.
Navigation: Click Request Checks Tab.
File Types | Select All |
Note
Leave all other fields using the default values.
Navigation: Click Blocking Page Tab.
Response Type | Custom Response |
---|---|
Response Body | Insert “Please contact the helpdesk at x1234” as noted below |
Note
Leave all other fields using the default values.
Navigation: Click Finished
Apply the HTTP security profile to the external virtual server.
Navigation: Local Traffic > Virtual Servers > Virtual Server List > EXT_VIP_10.10.99.30
Protocol Security | Enabled | demo_http_security |
Note
Leave all other fields using the default values.
Navigation: Click Update.
Open a new web browser tab, access the virtual server and log into the application.
URL: https://www.mysite.com/dvwa
Credentials: admin/password
Note
This application is accessible, even though there are policy violations, because the “Block” option in the HTTP security policy is not selected.
Browse the application.
Navigation: Click on various links on the sidebar.
Note
This traffic will generate network firewall log entries because the Alarm option in the HTTP security policy is selected.
On BIG-IP
Review the log entries created in the previous step.
Navigation: Security > Event Logs > Protocol > HTTP
Note
Your log entries may be different than the example shown above but the concept should be the same.
Edit the demo_http_security HTTP security profile.
Navigation: Security > Protocol Security > Security Profiles > HTTP
HTTP Protocol Checks | Uncheck all except “Host header contains IP address”. Check “Block” |
Note
Leave all other fields using the default values.
Navigation: Click Finished.
On Windows jumpbox
Open a new web browser tab and access the virtual server.
Attention
This application should not be accessible because the ”Host header contains IP address” and “Block” options in the HTTP security policy are selected.
Open a new web browser tab and access the virtual server.
URL: https://www.mysite.com/dvwa
Attention
This application should now be accessible because we requested it through the FQDN instead of an IP address
Note
Explore some of the other settings avaialable to you in the security policy
Note
This is the end of Module 1 - Lab 6