Forum Discussion
NimbostratusHSTS via irule
CirrostratusHello pedinopa,
You should enable HSTS only on virtual servers with client SSL profiles.You can enable HSTS on HTTPS Virtual server using the below iRule.
when HTTP_RESPONSE {
if { !([ HTTP::header exists "Strict-Transport-Security“ ])}
{ HTTP::header insert "Strict-Transport-Security" "16070400" }
}
pedinopa_170325according to ssllabs the HSTS headers are there but not enabled. I tried the irule you suggested did not make a difference.
- kolom_265617
please post a snapshot of the part that is saying it's there but not enabled.
- pedinopa_170325
this is the snippit I took from the ssllabs report.
Strict Transport Security (HSTS)Disabled max-age=-199622101; includeSubDomains; enable
- kolom_265617
if you used the iRule i provided earlier , at least the max-age should be the fixed value specified in the iRule which is "16070400" , so r u sure that you are using the same iRule ?
this what it should look from multiple domains i did using the same iRule
Strict-Transport-Security: max-age=16070400; includeSubDomains
- pedinopa_170325
I did use the irule you sent and that is the output I get DISABLED from SSL labs. Strange. this is the irule
irule for HSTS on HTTPS virtualswhen RULE_INIT {
set static::expires [clock scan 16070400]}
when HTTP_RESPONSE { if { !([ HTTP::header exists "Strict-Transport-Security" ]) } { HTTP::header insert Strict-Transport-Security "max-age=[expr {$static::expires - [clock seconds]}]; includeSubDomain" } }
- kolom_265617
This is not the iRule ,try using this one .
when HTTP_RESPONSE { if { !([ HTTP::header exists "Strict-Transport-Security“ ])}
{ HTTP::header insert "Strict-Transport-Security" "16070400" } }
