Forum Discussion

pedinopa_170325's avatar
pedinopa_170325
Icon for Nimbostratus rankNimbostratus
Jan 22, 2018

HSTS via irule

I have 2 irules. 1 for HTTP HSTS and the other for HTTPS HSTS. they insert the headers but hsts is not enabled. I am running 11.5.4 so the HSTS config is not in my HTTP profile, how can I enable it through an irule?

** iRule for HSTS HTTP Virtuals

when HTTP_REQUEST { 

HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"

} **

iRule for HSTS HTTPS Virtuals

when RULE_INIT { 

 set static::expires [clock scan 20110926]

}

when HTTP_RESPONSE {

HTTP::header insert Strict-Transport-Security "max-age=[expr {$static::expires - [clock seconds]}]; includeSubDomain"

}

iRules
security
  • kolom's avatar
    kolom
    Icon for Altostratus rankAltostratus
    Jan 22, 2018

    Hello pedinopa,

    You should enable HSTS only on virtual servers with client SSL profiles.You can enable HSTS on HTTPS Virtual server using the below iRule.

    when HTTP_RESPONSE { 
if { !([ HTTP::header exists "Strict-Transport-Security“ ])} 
{ HTTP::header insert "Strict-Transport-Security" "16070400" } 
}
    • pedinopa_170325's avatar
      pedinopa_170325
      Icon for Nimbostratus rankNimbostratus
      Jan 22, 2018

      according to ssllabs the HSTS headers are there but not enabled. I tried the irule you suggested did not make a difference.

       

    • kolom's avatar
      kolom
      Icon for Altostratus rankAltostratus
      Jan 22, 2018

      please post a snapshot of the part that is saying it's there but not enabled.

       

    • pedinopa_170325's avatar
      pedinopa_170325
      Icon for Nimbostratus rankNimbostratus
      Jan 22, 2018

      this is the snippit I took from the ssllabs report.

       

      Strict Transport Security (HSTS)Disabled max-age=-199622101; includeSubDomains; enable

       

  • kolom_265617's avatar
    kolom_265617
    Icon for Cirrostratus rankCirrostratus
    Jan 22, 2018

    Hello pedinopa,

    You should enable HSTS only on virtual servers with client SSL profiles.You can enable HSTS on HTTPS Virtual server using the below iRule.

    when HTTP_RESPONSE { 
if { !([ HTTP::header exists "Strict-Transport-Security“ ])} 
{ HTTP::header insert "Strict-Transport-Security" "16070400" } 
}
    • pedinopa_170325's avatar
      pedinopa_170325
      Icon for Nimbostratus rankNimbostratus
      Jan 22, 2018

      according to ssllabs the HSTS headers are there but not enabled. I tried the irule you suggested did not make a difference.

       

    • kolom_265617's avatar
      kolom_265617
      Icon for Cirrostratus rankCirrostratus
      Jan 22, 2018

      please post a snapshot of the part that is saying it's there but not enabled.

       

    • pedinopa_170325's avatar
      pedinopa_170325
      Icon for Nimbostratus rankNimbostratus
      Jan 22, 2018

      this is the snippit I took from the ssllabs report.

       

      Strict Transport Security (HSTS)Disabled max-age=-199622101; includeSubDomains; enable

       

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Jan 23, 2018

    The problem with your irule is that "20110926" is a past date. It needs to be a period of time starting from the runtime. Try this one:

    when RULE_INIT {
    set static::expires [clock scan "12 month"]
}
when HTTP_RESPONSE {
    HTTP::header insert Strict-Transport-Security "max-age=[expr {$static::expires - [clock seconds]}]; includeSubDomain"
}

    .