Technical Tip: SLB script - HTTP Header checks with header_replace action

scheehan_FTNT · ‎11-26-2023

Description

HTTP request-header comes with many fields. Just to list a few: Host, Content-Type, and Cookie.

These common HTTP header fields provide essential information to help web servers obtain helpful information about clients.

This article describes and demonstrates a script example to perform validation on an HTTP header, if conditions match, a certain action can be performed. In this instance, the HTTP request-header Host will be checked, and then if the condition matches, HTTP Host field value will be updated.

Scope

FortiADC.

Solution

Introduction:

Company A tries to replace the HTTP Host header field value with the correct server domain information.

FortiADC configurations were focused on server load balancing with Level 7 type without security profile common setup with a single real-server. This article focused on script examples. Hence, only scripting-related information will be published.

Create custom script:

Go to Server Load Balance -> Scripting -> HTTP, then select 'Create New' for a new script entry.

2. Under the new edit window, input the suggested Lua script statement.

For further explanation refer to each comment:

when HTTP_REQUEST{
--get http header "Host" value, and store it under Hcontent variable
Hcontent = HTTP:header_get_value("Host")
--setup conditional check if Host criteria doesn't match
if Hcontent~="www.example.com" then
--record output when Hcontent doesn't match criteria before replacement
log("Host value is %s and need to be replace\n", Hcontent)
--execute header value replace
HTTP:header_replace("Host", "www.example.com")
--while criteria match, record output for tracking purposes
else
log("Correct Host value %s \n", Hcontent)
end

}

Note:

Refer to the article for how to generate script log.

Assign script object to preferred server load balance policy.

Validation:

Verify with the correct Host domain.
Sent HTTP Request from HTTPie client Tool.

Review Script log about the captured Host information.

Review the Web server log about the Host information.

Conclusion:

Based on observer information, the client web request was sent correct domain, HTTP header was recorded under the script log accordingly. Furthermore, the Web server log confirmed script was functioning as expected while the domain was the correct domain, no further replacement will happen.

Verify with other Host domains.
Sent HTTP Request from HTTPie Client Tool.

Review the Script log about the captured Host information.

Review the Web server log about the Host information.

Conclusion:

Based on observer information, the client web request was sent with another domain, HTTP header was recorded under the script log accordingly, indicating it has executed the HTTP header replace function correctly. Furthermore, the Web server log confirmed script was functioning as expected while the domain was replaced with the correct domain.

Note:

Script examples provided were tested in a controlled environment. Verify the script under the staging environment before implementation.
Script criteria were tested and worked with Content-Type and Cookie HTTP header.