Cross Origin Resource Sharing (CORS) is a mechanism that allows your system to access resources from a different domain than the domain the original request was made to. By default, you can’t support F5 BIG-IP CORS requests directly to its management application. This includes the REST api. It’s a bit of a tricky functionality as it is prone to abuse if not properly implemented.
For instance, an attacker could gain access to or remove certain information leveraging CORS. I started looking into CORS as part of an online iRule editor project I was working on.
Enabling F5 BIG-IP CORS
You can enable CORS on F5 BIG-IP using one of two methods:
1. By modifying your apache config
2. By leveraging a Virtual Server and iRule
The first method is a little easier. It just modifies the apache configuration that sits between your browser and the actual F5 configuration web application. The second requires a little bit of magic in getting the traffic to exit the F5’s TMM interface. Next, it has to get back to the management IP which is set as the pool member.
Remember that when making changes to your configuration, it may not be officially supported or recommended by F5. Especially something like when you enable CORS on F5 BIG-IP. You should take caution to only make changes you fully understand. Otherwise, you might be opening your F5 device to unknown traffic or effects. Post a comment or contact me if you want more information!