Forum Discussion

ekanathdas_2662's avatar
ekanathdas_2662
Icon for Nimbostratus rankNimbostratus
May 14, 2012

HSTS (HTTP Strict Transport Security)

Hi team,

Was trying the HSTS irule posted in "https://devcentral.f5.com/weblogs/d...start.aspx".

The vip on port 80 already had a ssl redirect irule (http to https).

When the below irule is applied to vip of port 80, the site goes down.

==i rule====

iRule for HSTS HTTP Virtuals

when HTTP_REQUEST {

HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"

}

when HTTP_RESPONSE {

HTTP::header insert Strict-Transport-Security "max-age=[expr {$static::expires - [clock seconds]}]; \includeSubDomains"

}

============
Few questions (might should foolish) which can help me:
1) Doesnot a ssl redirect solve the purpose?
2) If its a hard and fast rule to apply HSTS feature, can some one suggest where I am going wrong?
Thanks,
Ekanath

7 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Ekanath,

     

     

    I understand that the issue here, and how HSTS solves things, is the redirect itself being insecure. This redirect is over cleartext and, hence, susceptible to mitm attacks. HSTS will amend the initial request to https to get round this so all session info is encrypted.

     

     

    Anyway, you're got an issue when using the iRule. Looking at your iRule above - have you copied it incorrectly? You seem to be missing a couple of lines which sets the variable.

     

     

    Obvious one - but you'll need a vip listening on 443 too for this to work and, without double checking, do all browsers / versions support the Strict-Transport-Security? I know firefox does. I'll have to remind myself on that one too.

     

     

    Hope this helps,

     

    N

     

  • Hi,

     

    I did try the same thing today, but both the http and https connection fails:

     

     

    iRule for HSTS HTTP Virtuals

     

    when HTTP_REQUEST {

     

    HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"

     

    }

     

     

    iRule for HSTS HTTPS Virtuals

     

     

    when RULE_INIT {

     

    set static::expires [clock scan 20110926]

     

    }

     

    when HTTP_RESPONSE {

     

    HTTP::header insert Strict-Transport-Security

     

    "max-age=[expr {$static::expires - [clock seconds]}]; \

     

    includeSubDomains"

     

    }

     

     

    --

     

    Thanks,

     

    Ekanath
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Ekanath,

     

     

    Have you checked out Jason's blog / testing on this? See https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1084416/Implementing-HTTP-Strict-Transport-Security-in-iRules.aspx

     

     

    Also, have you got any other iRules associated with the virtuals? I presume you've got the HTTP profile assigned to the virtual?

     

     

    Rgds

     

    N
  • Yes, the virtuals have the http profile associated to them.

     

     

    I believe , i am overlooking somewhere and getting the irule error. Should not the time be defined i n rule? Anywhere else should it be defined?

     

     

    ===error===

     

    Jun 18 10:10:40 tmm tmm[1099]: 01220001:3: TCL error: Rule HSTS-HTTPS - can't read "static::expires": no such variab

     

    le while executing "expr {$static::expires - [clock seconds]}"

     

     

    ===i rule on http virtual===

     

    when HTTP_REQUEST {

     

    HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"

     

    }

     

     

    ==i rule on https virtual===

     

    when RULE_INIT {

     

    set static::expires [clock scan 9504000]

     

    }

     

    when HTTP_RESPONSE {

     

    HTTP::header insert Strict-Transport-Security "max-age=[expr {$static::expires - [clock seconds]}]"

     

    }

     

     

    Thanks.
  • Your issue is with the clock scan value

     

    it should be [clock scan yyyymmdd]

     

    or you can use this instead of what you are using

     

    ==i rule on https virtual===

     

    when HTTP_RESPONSE { HTTP::header insert Strict-Transport-Security "max-age=31536000 ; includeSubDomains" }

     

    • san2hosh_306591's avatar
      san2hosh_306591
      Icon for Nimbostratus rankNimbostratus

      Well I used the Below Rule. And, my user complained that as the days are passing the time seems to be decreasing. So is their any static rule that can make it same clock seconds everyday?

       

      Here is my rule: when RULE_INIT { set static::expires [clock scan 31536000] } when HTTP_RESPONSE { HTTP::header insert Strict-Transport-Security "max-age=[expr {$static::expires - [clock seconds]}]; includeSubDomains" }

       

    • JG's avatar
      JG
      Icon for Cumulonimbus rankCumulonimbus
      when RULE_INIT { 
          set static::expires [clock scan "12 month"]
      } 
      when HTTP_RESPONSE { 
          HTTP::header insert Strict-Transport-Security "max-age=[expr {$static::expires - [clock seconds]}]; includeSubDomains" 
      }