Forum Discussion
ekanathdas_2662
Nimbostratus
NimbostratusHSTS (HTTP Strict Transport Security)
Hi team,
Was trying the HSTS irule posted in "https://devcentral.f5.com/weblogs/d...start.aspx".
The vip on port 80 already had a ssl redirect irule (http to https).
When the below irule is applied to vip of port 80, the site goes down.
==i rule====
iRule for HSTS HTTP Virtuals
when HTTP_REQUEST {
HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"
}
when HTTP_RESPONSE {
HTTP::header insert Strict-Transport-Security "max-age=[expr {$static::expires - [clock seconds]}]; \includeSubDomains"
}
============Few questions (might should foolish) which can help me:1) Doesnot a ssl redirect solve the purpose?2) If its a hard and fast rule to apply HSTS feature, can some one suggest where I am going wrong?Thanks,Ekanath
natheCirrocumulus
Ekanath,
I understand that the issue here, and how HSTS solves things, is the redirect itself being insecure. This redirect is over cleartext and, hence, susceptible to mitm attacks. HSTS will amend the initial request to https to get round this so all session info is encrypted.
Anyway, you're got an issue when using the iRule. Looking at your iRule above - have you copied it incorrectly? You seem to be missing a couple of lines which sets the variable.
Obvious one - but you'll need a vip listening on 443 too for this to work and, without double checking, do all browsers / versions support the Strict-Transport-Security? I know firefox does. I'll have to remind myself on that one too.
Hope this helps,
N
ekanathdas_2662Hi,
I did try the same thing today, but both the http and https connection fails:
iRule for HSTS HTTP Virtuals
when HTTP_REQUEST {
HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"
}
iRule for HSTS HTTPS Virtuals
when RULE_INIT {
set static::expires [clock scan 20110926]
}
when HTTP_RESPONSE {
HTTP::header insert Strict-Transport-Security
"max-age=[expr {$static::expires - [clock seconds]}]; \
includeSubDomains"
}
--
Thanks,
Ekanath- natheEkanath,
Have you checked out Jason's blog / testing on this? See https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1084416/Implementing-HTTP-Strict-Transport-Security-in-iRules.aspx
Also, have you got any other iRules associated with the virtuals? I presume you've got the HTTP profile assigned to the virtual?
Rgds
N - ekanathdas_2662Yes, the virtuals have the http profile associated to them.
I believe , i am overlooking somewhere and getting the irule error. Should not the time be defined i n rule? Anywhere else should it be defined?
===error===
Jun 18 10:10:40 tmm tmm[1099]: 01220001:3: TCL error: Rule HSTS-HTTPS - can't read "static::expires": no such variab
le while executing "expr {$static::expires - [clock seconds]}"
===i rule on http virtual===
when HTTP_REQUEST {
HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"
}
==i rule on https virtual===
when RULE_INIT {
set static::expires [clock scan 9504000]
}
when HTTP_RESPONSE {
HTTP::header insert Strict-Transport-Security "max-age=[expr {$static::expires - [clock seconds]}]"
}
Thanks. - Yasir_Al-Musawi
Your issue is with the clock scan value
it should be [clock scan yyyymmdd]
or you can use this instead of what you are using
==i rule on https virtual===
when HTTP_RESPONSE { HTTP::header insert Strict-Transport-Security "max-age=31536000 ; includeSubDomains" }
san2hosh_306591Well I used the Below Rule. And, my user complained that as the days are passing the time seems to be decreasing. So is their any static rule that can make it same clock seconds everyday?
Here is my rule: when RULE_INIT { set static::expires [clock scan 31536000] } when HTTP_RESPONSE { HTTP::header insert Strict-Transport-Security "max-age=[expr {$static::expires - [clock seconds]}]; includeSubDomains" }
JGCumulonimbus
when RULE_INIT { set static::expires [clock scan "12 month"] } when HTTP_RESPONSE { HTTP::header insert Strict-Transport-Security "max-age=[expr {$static::expires - [clock seconds]}]; includeSubDomains" }