HSTS and APM (ssllabs)

After upgrading to 12.0 HF-1 and using the above iRule, we had no issue with /my.policy (with and without On-demand cert auth).

Got from F5 support the existing BUGID 565554, which is about

• not needing the workaround irule anymore (ID is mentioned in the irule above)

++ additionally:

• missing HSTS header randomly seen (when serving APM objects)

Alex

After upgrading to 12.0 HF-1 and using the above iRule, we had no issue with /my.policy (with and without On-demand cert auth).

Got from F5 support the existing BUGID 565554, which is about

• not needing the workaround irule anymore (ID is mentioned in the irule above)

++ additionally:

• missing HSTS header randomly seen (when serving APM objects)

Alex

Hi Lucas

In my environment it works, but I have seen a condition where it doesn't work: if the Access Policy has a On-Demand certificate check. It seems to break the mechanism and the browser gets a SSL error. Any idea?

Thanks

Alex

Strictly speaking, the HSTS header is irrelevant if the site doesn't have a corresponding "http" version. I've just now tested this scenario though, and it occurs as you describe. Interestingly, the other pages (my.policy page, etc) do honor the settings from the HTTP profile.

If you need to get around this for paperwork purposes, the following irule will get the header in there:

 workaround for F5 bug ID 565554

when CLIENT_ACCEPTED {
  ACCESS::restrict_irule_events disable
}

when HTTP_RESPONSE_RELEASE {
  if { [HTTP::header Location] eq "/my.policy" } {
    HTTP::header replace "Strict-Transport-Security" "max-age=16070400 ; includeSubDomains"
  }
}