Forum Discussion
Dan_L1
Nimbostratus
NimbostratusiRule - HTTP REQUEST/RESPONSE - whitelist specific URI's
Hello,
I have an iRule I'm trying to implement for security headers, there are a handful of URI's that I need to whitelist, so far this is what I have:
when HTTP_REQUEST {
set uri [HTTP::uri]
}
when HTTP_RESPONSE {
if { not ( [class match [$uri] contains dgl_securityheaders] ) } {
HTTP::header insert X-XSS-Protection "1; mode=block"
HTTP::header insert X-Frame-Options "sameorigin"
HTTP::header insert X-Content-Type-Options "nosniff"
}
}
The issue I run into when putting this in place is the site will just give a connection reset, I'm guessing it's something to do with grabbing the URI variable, any ideas? Also, if I comment out the if statement, it works w/o issue, inside the dgl are just 2 URI's.
Thanks!
3 Replies
mimlo_61970Cumulonimbus
Can you look in /var/log/ltm and see if there are any errors at the time of a TCP reset. Sometimes if the script throws a runtime error, it results in a tcp reset. The reason should be in the log.
Dan_L1Ah yeah, it does have a ton of errors when I tested it, example:
Apr 19 08:36:53 - err tmm[15025]: 01220001:3: TCL error: /Common/irule_securityHeaders - invalid command name "/path/to/a/uri" while executing "$uri"Looks like the way the URI is being ingested and then utilized with the HTTP response is not correct.
- cjunior
Nacreous
Hi, I think that issue would be the square brackets covering the $uri variable.
So, try to do this:
Regards.if { not [class match $uri contains dgl_securityheaders] } {
