F5 CORS

What is CORS?

F5 CORS can mean a few different things. Probably the most common, which we’ll look at here is enabling Cross-Origin Resource Sharing for the applications behind the BIG-IP. Alternatively, you can check out our article on actually enabling the BIG-IP to support CORS for the management GUI. You can also read a little bit about what CORS is. Another topic related to F5 CORS is what the ASM will allow and block when it sees CORS. Configuration of that is discussed in this F5 ASM CORS Support post here.

First, a quick recap on CORS. CORS is used when the browser is making an automated request to a site that is different than the one the user put in their browser. It’s a protection built-in by the browser that javascript isn’t allowed to send data all over the place. Often though, this is exactly what the application architects need to happen. In comes CORS. Basically, the site that is getting a request from a non-local origin needs to allow the request to come in.

CORS has two types of requests, simple requests and requests that require more work. For basic requests, the browser is notified that this is OK with a simple header. For more complicated requests, you need to what’s called a pre-flight request to get some additional data before sending the actual request. What makes them complicated or simple is outside the scope of this post, but your application people should be able to tell you which of the methods you need to support.

The Mozilla CORS page gives a lot more detail if you want to get into the details of the requests.

Configuring F5 CORS

For the simple one, you just need to insert the “Access-Control-Allow-Origin:” header with the value of the domain that should be allowed to make the cross origin request. If you want any website on the internet to be allowed, just set an asterisk.

You can do this with just an HTTP profile and the header insert, or you can do it in an iRule and insert the header based on whatever conditions you want.

Preflighted requests are a bit trickier. First, you’ll intercept the OPTIONS request, and respond with the proper information for the client. Next, the client will send the actual request.

Rather than reinvent the iRule, you can take a look at this thorough example on devcentral: F5 cors iRule

One thing to note about the iRule, create a datagroup outside of the iRule as shown in one of the comments. That’s what they are there for, so use it.

Good luck, and feel free to comment if you’re having issues getting the iRule working either here or on DevCentral.

Leave a Reply

Your email address will not be published. Required fields are marked *