2.1.6. Lab 6: Configure HTTP security

HTTP security profiles are used to apply basic HTTP security to a virtual server. Significantly more advanced HTTP security is available by adding ASM (Application Security Manager).

2.1.6.1. Configure An HTTP Security Profile And Apply It To The External Virtual Server

On the BIG-IP:

Navigation: Security > Protocol Security > Security Profiles > HTTP, then click Create.

Profile Name demo_http_security
Custom Checked
Profile is case sensitive Checked
HTTP Protocol Checks Check All

image48

Note

Leave all other fields using the default values.

Navigation: Click Request Checks Tab.

File Types Select All

image49

Note

Leave all other fields using the default values.

Navigation: Click Blocking Page Tab.

Response Type Custom Response
Response Body Insert “Please contact the helpdesk at x1234” as noted below

image50

Note

Leave all other fields using the default values.

Navigation: Click Finished

Apply the HTTP security profile to the external virtual server.

Navigation: Local Traffic > Virtual Servers > Virtual Server List > EXT_VIP_10.10.99.30

Protocol Security Enabled demo_http_security

image51

Note

Leave all other fields using the default values.

Navigation: Click Update.

Open a new web browser tab, access the virtual server and log into the application.

URL: https://www.mysite.com/dvwa

Credentials: admin/password

image52

Note

This application is accessible, even though there are policy violations, because the “Block” option in the HTTP security policy is not selected.

Browse the application.

Navigation: Click on various links on the sidebar.

image53

Note

This traffic will generate network firewall log entries because the Alarm option in the HTTP security policy is selected.

On BIG-IP

Review the log entries created in the previous step.

Navigation: Security > Event Logs > Protocol > HTTP

image54

Note

Your log entries may be different than the example shown above but the concept should be the same.

Edit the demo_http_security HTTP security profile.

Navigation: Security > Protocol Security > Security Profiles > HTTP

HTTP Protocol Checks

Uncheck all except “Host header contains IP address”.

Check “Block”

image55

Note

Leave all other fields using the default values.

Navigation: Click Finished.

On Windows jumpbox

Open a new web browser tab and access the virtual server.

URL: https://10.10.99.30/dvwa

image56

Attention

This application should not be accessible because the ”Host header contains IP address” and “Block” options in the HTTP security policy are selected.

Open a new web browser tab and access the virtual server.

URL: https://www.mysite.com/dvwa

image57

Attention

This application should now be accessible because we requested it through the FQDN instead of an IP address

Note

Explore some of the other settings avaialable to you in the security policy

Note

This is the end of Module 1 - Lab 6

Previous Next