How to Hide Virtual Services IP address during a Penetration Test when SubVS are configured.

How to Hide Virtual Services IP address during a Penetration Test when SubVS are configured.

Product: Loadmaster

Version: Any

Platform: Any

Application: Any

HTTPS virtual IP hosted with multiple subVS with different domains, what shall we input for redirect for https://domain.com%s. "%s"

During a Penetration test, it's possible that your Virtual IP is being revealed.

A way of mitigating this issue when adding an FQDN to the "302 redirect" is not possible is by utilizing a content matching rule and two SubVSs on your port 80 redirect Virtual Service in order to block connection attempts with empty host headers. This rule must be a content matching rule and include a Header Field of 'Host' and a Match String of /.*/ this rule should be applied to one SubVS while the default rule should be applied to the other SubVS. For the SubVS with the match rule created we can add the 302 redirect as https://%h%s and for the SubVS with the default rule, we will change the 302 to a 403, thus blocking requests made with empty host headers.

Create a content rule for your redirect SubVS.

Create two SubVS, and enable content switching.

After enabling add, the created content rule with redirect VS and for other VS select default rule.

Once created, for the SubVS with the matching rule created we can add the 302 redirect as https://%h%s, and for the SubVS with the default rule, we will change the 302 to a 403, thus blocking requests made with empty host headers, so during a Penetration test, your Virtual IP is not revealed.