Rewriting HTTP responses

This application note is intended to help you apply rules for rewriting HTTP responses within the ALOHA Load Balancer solution.


Objective

Replace the IP address “127.0.0.1” with “www.mysite.com”.

Intentionally provide false information on the Web server version in order to avoid targeted attacks.


Constraints

In order to rewrite responses, you need to understand regular expressions.


Complexity

2


Versions

v3.x and later

ALOHA load balancer Rewriting HTTP responses


Target network diagram


Functions to use

In order to rewrite a response, use the “rsqrep” and “rspqirep” keywords with the following syntax:

	rsqrep <search> <string> [{if | unless} <cond>]
	rspirep <search> <string> [{if | unless} <cond>] (ignored case)

<search> is the regular expression applied both to the HTTP headers and to the request. This is an extended regular expression. Grouped parentheses are supported, and the backslash character is not required. All spaces and known separators must be escaped using the backslash “\”. The template is then applied to the entire line.

<string> is the entire line to be added. All spaces and known separators must be escaped using the backslash “\”. You can refer to groups on corresponding patterns by using “\N”, where “N” is an integer between 0 and 9.

<cond> is an optional corresponding condition produced from an ACL. Thus you can ignore this rule when the other conditions are not met.

Any line with a correspondence extended by a regular expression in the “search” argument of a request (in both the request and the header) will be completely replaced by the “string” argument. This is most commonly used to rewrite URLs or domain names in the "host" field of headers, for instance.

Important

The “rsqrep” keyword is strictly case-sensitive, while “rspirep” is case insensitive.

The <cond> condition is available only from version v3.5.x and later.


Extract of the LB Level7 configuration

######## The first public address as seen by the clients
 frontend frt
  bind 10.0.32.10:80 # address:port to listen to
  mode http
  log global # use global log parameters
  option httplog # Enable HTTP logging
  maxconn 4000 # max conn per instance
  timeout client 25s # maximum client idle time (ms)
  default_backend bck # send everything to this backend by default

 ####### This backend manages the servers and the load balancing algorithm
 backend bck
  balance roundrobin # roundrobin | source | uri | leastconn
  mode http
  log global # use global log parameters
  option httplog # Enable HTTP logging
  cookie SERVERID insert indirect nocache # provide persistence with cookie
  option httpchk HEAD / # how to check those servers
  option forwardfor except 127.0.0.1/8 # add X-Forwarded-For except local
  fullconn 4000 # dynamic limiting below
  timeout server 25s # max server’s response time (ms)
  # Replace the host name “127.0.0.1” with “www.mysite.com”
  rspirep ^Location:\ 127.0.0.1 Location:\ www.mysite.com
  # Replace the server fields of the “IIS7” header with “Apache”
  rsprep ^Server:\ IIS7 Server:\ Apache
  server srv1 10.0.32.101:80 cookie s1 weight 10 maxconn 100 check inter 1000 fall 3
  server srv2 10.0.32.102:80 cookie s2 weight 10 maxconn 100 check inter 1000 fall 3