Forum Discussion

gurrish_132043's avatar
gurrish_132043
Icon for Nimbostratus rankNimbostratus
Sep 17, 2013

Problem with HTTP::respond, get rid of WWW-Authenticate header

Hi! Im trying to do this generic error page to display for 4XX and 5XX responses with the help from an iRule. This is what I did.

when HTTP_RESPONSE {
    set DEBUG 0
    if { $DEBUG } { log local0.debug "client_addr:[IP::client_addr] | cn:$cn | uid:$uid | serial:$serial | market:$market | uuid:$uuid | status:[HTTP::status] | method:$method | uri:$uri" }
    HTTP::header insert "Strict-Transport-Security" "max-age=16070400; includeSubDomains"

    switch -glob [HTTP::status] {
        "4*" {
            if { $DEBUG } { log local0.debug "masking 4XX error" }
            HTTP::respond [HTTP::status] content "<!doctype html><html><head><title>[HTTP::status]</title></head><body><div style=\"margin-left: 20px ; font-family: Arial,Helvetica,Verdana; font-size:100px; color: f0f0f0;\">[HTTP::status]</div></body></html>"
        }
        "5*" {
            if { $DEBUG } { log local0.debug "masking 5XX error" }
            HTTP::respond [HTTP::status] content "<!doctype html><html><head><title>[HTTP::status]</title></head><body><div style=\"margin-left: 20px ; font-family: Arial,Helvetica,Verdana; font-size:100px; color: f0f0f0;\">[HTTP::status]</div></body></html>"
        }                                                              
        default {
            if { $DEBUG } { log local0.debug "OK status returned" }
            Do nothing but returning the response
        }                                                                              
    }
}

But now i have this problem, that everytime that a 401 is returned i.e "HTTP::respond 401", the header WWW-authenticate is returned which results in the stupid basic authentication login box is being displayed in the users browser. Not such a great scenario... since there is nothing to authenticate against. Does anyone know how to get rid of this? I have tried to remove the header with "HTTP::header remove WWW-Authenticate", doesn't work...

  • It appears as if the framework has some built in default for 401s

     

    I would agree. The BIG-IP will return a WWW-Authenticate header with a 401 response. Two thoughts off the top of my head:

     

    1. Return a 200 response. It isn't semantically what you're looking for, but technically you're attempting to display HTML content rather than elicit credentials from the user, so it's closer to a 200 than a 401.

       

    2. Drop into layer 4 and scrub the response at the TCP layer. It's a little messier, but it should effectively trick the BIG-IP into not sending the WWW-Authenticate header.

       

  • It didn't work with TCP::respond but I found another solution. Since HTTP::respond can add headers, I tried to add the header myself but without any value. And it solved the problem for us.

    HTTP::respond [HTTP::status] content "[HTTP::status]

    [HTTP::status]

    " noserver "WWW-Authenticate" ""