Forum Discussion

Ben_Levin_9028's avatar
Ben_Levin_9028
Icon for Nimbostratus rankNimbostratus
Jan 04, 2017

HSTS on LTM

We are running 11.5.4 on several BIG IPs and want to implement HSTS. I understand the concept of using an iRule or a policy but I have a question. If our member web servers are doing HTTP only and S...
application delivery
hsts
LTM
security
ssl termination
JMD_164012's avatar
JMD_164012
Icon for Nimbostratus rankNimbostratus
May 03, 2018

Hi Guys,

 

In software version 12.x+ HSTS can be enabled in the HTTP profile. Does this mean we need to create separate HTTP profiles for our HTTPS VIPs in order to enable HSTS?

 

When I add HSTS into an HTTP profile on an HTTP virtual server the system accepts it. If I then try to add an irule to that VIP I get an error that says :

 

01070734:3: Configuration error: In Virtual Server (/Common/EXAMPLE_VIP_NAME) http with hsts enabled requires a client ssl profile

 

Please advise

 

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 03, 2018

    Yes, you'd want a separate HTTP profile. Technically I guess the HTTP VIP shouldn't accept it, and it's generally a bad security practice to send an HSTS header in unencrypted traffic anyway.