Forum Discussion
iRules HTTP::header insert
Hi
I am new to irules and applied the following simple iRule to a test VIP.
As you can see its supposed to inject the protocol and cipher version details to the http header. We can see the irule executing on the log but nothing shows up on the webserver responses.
Is there anything that I might have missed?
when HTTP_REQUEST { HTTP::header insert X-SSL-Protocol [SSL::cipher version] HTTP::header insert X-SSL-Cipher [SSL::cipher name] log local0. "Version: [SSL::cipher version], Name: [SSL::cipher name]" }
6 Replies
- Andy_McGrath
Cumulonimbus
You are adding the Headers to the HTTP Request so unless the web server on the back end is taking the headers and adding them to it own HTTP Response you will not need them on the client side.
Not tested but you could try adding the headers to the HTTP Response with the following:
when HTTP_RESPONSE { HTTP::header insert X-SSL-Protocol [SSL::cipher version] HTTP::header insert X-SSL-Cipher [SSL::cipher name] log local0. "Version: [SSL::cipher version], Name: [SSL::cipher name]" }
- southern_shred1
Nimbostratus
Thanks for your prompt response. That makes sense
Is it the case if we would like to see the response details on the "respons headers" on the webserver? Something like
x-fram-options: SAMEORIGIN x-ssl-cipher: ECDHE-ECDSA-AES256-GCM-SHA384 X-SSL-PROTOCOL: TLSV1.2 X-SSL-PROTOCOL: TLSV1.2 x-xss-protection: 1, mode=block
- Andy_McGrath
Cumulonimbus
You need the web server to get those headers in the HTTP Request so your original iRule would do that. If you need your web server to add them to the HTTP Response then you will need to look at your web servers' configuration and/or code.
If you don't want your web server to add the headers you could just have both iRule event run on the F5 so it inserts the Headers in the Request and Response
e.g.
when HTTP_REQUEST { HTTP::header insert X-SSL-Protocol [SSL::cipher version] HTTP::header insert X-SSL-Cipher [SSL::cipher name] log local0. "REQUEST, Version: [SSL::cipher version], Name: [SSL::cipher name]" } when HTTP_RESPONSE { HTTP::header insert X-SSL-Protocol [SSL::cipher version] HTTP::header insert X-SSL-Cipher [SSL::cipher name] log local0. "RESPONSE, Version: [SSL::cipher version], Name: [SSL::cipher name]" }
- southern_shred1
Nimbostratus
Ah thanks that makes sense. In this case we only need to get those headers in the HTTP Request headed to the Web Server. The Webserver will then use this information to prompt a warning on the front page of a users browser if they are using the wrong version of tls.
- southern_shred1
Nimbostratus
This is what I see in my logs when iRule runs. Is there a need to run a tcpdump to confirm the insert?
info tmm1[19063]: Rule /Common/tlscipher_version : Version: TLSv1.2, Name: ECDHE-RSA-AES256-CBC-SHA
- Andy_McGrath
Cumulonimbus
Shouldn't need to if the log line in the iRule is below the HTTP::header lines but can do, or you could log the HTTP Headers on the backend server to confirm they are getting through.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com