Forum Discussion

martin_58353's avatar
Sep 09, 2017

iRule STREAM::expression is not working

Hello, I have an issue with some html code injection. Below is LTM config and iRule.

LTM config:

    ltm virtual /IB/vs_george-uat2_8090 {
        description "george-uat2"
        destination /IB/10.219.232.25:8090
        ip-protocol tcp
        mask 255.255.255.255
        pool /IB/pool_george-uat2
        profiles {
            /Common/serverssl-insecure-compatible {
                context serverside
            }
            /Common/stream { }
            /Common/tcp { }
            /IB/http-response-rechunk { }
            /IB/ssl_george-uat2 {
                context clientside
            }
        }
        rules {
            /IB/irule_hsts_remove
            /IB/irule_george_hook_v2
        }
        source 0.0.0.0/0
        source-address-translation {
            type automap
        }
        translate-address enabled
        translate-port enabled
    }

iRule:

    when RULE_INIT {
       Log debug messages to /var/log/ltm? 1=yes, 0=no
      set static::rewrite_debug 1
    }

    when HTTP_REQUEST {
       debug
      if {$static::rewrite_debug} {log local0. "[IP::client_addr]:[TCP::client_port]: HTTP request to [HTTP::host][HTTP::uri]"}

      STREAM::disable

       remember URI
      set uri [HTTP::uri]
      set path [HTTP::path]
      set LogString "Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]"

      switch $path {
        "/" {
          if { [HTTP::header value Content-Type] contains "text/html" } {
            HTTP::header remove "Accept-Encoding"
          }
        }
      }
    }

    when HTTP_RESPONSE {
      switch -glob $path {
        "/" {
          if { [HTTP::header value Content-Type] contains "text/html" } {
             >> this is showed in /var/log/ltm
            if {$static::rewrite_debug} {log local0. "[IP::client_addr]:[TCP::client_port]: JS Inject before"}

             Inserting JavaScript
             >> this is not inserted
            STREAM::expression {@@@}

             >> this is showed in /var/log/ltm
            if {$static::rewrite_debug} {log local0. "[IP::client_addr]:[TCP::client_port]: JS Inject after"}

             Enable the stream filter for this response only
            STREAM::enable
          }
        }
      }
    }

    when STREAM_MATCHED {
        log local0. "Stream found: [IP::client_addr]:[TCP::local_port]: matched: [STREAM::match]"
    }

I can see in $1 "JS Inject before / after" but no STREAM::expression is executed (I can't see no problem in the log, and no injected code is on client side (server response).

The first iRule looks irelevant:

ltm rule /IB/irule_hsts_remove {
    when HTTP_RESPONSE {
      set strictTransportSecurityHeader {Strict-Transport-Security}
      HTTP::header remove $strictTransportSecurityHeader
    }
  • I have solution!

     

    REQUEST event has no Content-Type in HTTP header, therefore is condition always false. Here is a correct code:

     

        when HTTP_REQUEST {
          set path [HTTP::path]
    
          switch $path {
            "/" {
              removed if { [HTTP::header value Content-Type] contains "text/html" } {
                HTTP::header remove "Accept-Encoding"
              removed }
            }
          }
        }
  • Hi,

    I guess the problem is the filter is too restrictive

     

    switch $path {
        "/" {
          if { [HTTP::header value Content-Type] contains "text/html" } {
            HTTP::header remove "Accept-Encoding"
          }
        }
      }      
    

     

    Try to remove accept-encoding header for all requests!

  • I have solution!

     

    REQUEST event has no Content-Type in HTTP header, therefore is condition always false. Here is a correct code:

     

        when HTTP_REQUEST {
          set path [HTTP::path]
    
          switch $path {
            "/" {
              removed if { [HTTP::header value Content-Type] contains "text/html" } {
                HTTP::header remove "Accept-Encoding"
              removed }
            }
          }
        }
    • Stanislas_Piro2's avatar
      Stanislas_Piro2
      Icon for Cumulonimbus rankCumulonimbus

      I'm glad I provided the solution but I'm surprised you accept your own answer as solution.