Forum Discussion
DJDX21_252164
Cirrus
CirrusStrict-Transport-Security (HSTS) header throws Operation not supported errors
This is my iRule to add "Strict-Transport-Security" header to my http response code.
when HTTP_RESPONSE {
set strictTransportSecurityHeader {Strict-Transport-Security}
if { [HTTP::header exists $strictTransportSecurityHeader] } {
HTTP::header remove $strictTransportSecurityHeader
}
HTTP::header insert $strictTransportSecurityHeader {max-age=31536000; includeSubDomains}
}This works fine and I get this "Strict-Transport-Security: max-age=31536000; includeSubDomains" as output.
But it throws warnings in monitoring tool
01220001:3: TCL error: /Common/StrictTransportSecurity_HSTS - Operation not supported (line 7) invoked from within "HTTP::header insert $strictTransportSecurityHeader {max-age=31536000; includeSubDomains}" Errors. Any idea what might be going wrong?
Hannes_RappNimbostratus
Do you see this error occurring upon every response, or just on rare occasions? Besides this rule, are there other iRules or LTM policies used?
Stanislas_Piro2Cumulonimbus
Hi,
replace :
set strictTransportSecurityHeader {Strict-Transport-Security}by :
set strictTransportSecurityHeader "Strict-Transport-Security"the use of {} define a list and not a string.
DJDX21_252164This is intermittent and there are other iRules too but none of them inserts HSTS and no LTM policies.
Hannes_Rapp_162Nacreous
Since you mentioned you have other iRules.
https://devcentral.f5.com/wiki/irules.HTTP__header.ashx
If this command is executed after issuing the HTTP::redirect or HTTP::respond command, the F5 will become confused, generate an "Operation Not Supported" TCL error and reset the connection.HTTP::header insert ...Do you issue redirects or responses from the other iRules?
- DJDX21_252164Yeah, I other iRules I have http to https redirects and some http::respond too... Now how do I overcome the error I need those iRules too???
- Hannes_Rapp_162After each redirect or response statement in the other iRules, use 'event disable HTTP_RESPONSE' function. If you structure the iRule well, you can get away by specifying it just once. You can also merge your iRules so the use of this function can be avoided. This kind of change can take your app down, make sure you test in QA. Also check out Stanislas answer, he's right that you will not need to use HSTS iRule on HTTP VS. If possible, create a dedicated HTTPS VS (if you don't have yet), and use the HSTS iRule there.
- Hannes_Rapp
Since you mentioned you have other iRules.
https://devcentral.f5.com/wiki/irules.HTTP__header.ashx
If this command is executed after issuing the HTTP::redirect or HTTP::respond command, the F5 will become confused, generate an "Operation Not Supported" TCL error and reset the connection.HTTP::header insert ...Do you issue redirects or responses from the other iRules?
- DJDX21_252164Yeah, I other iRules I have http to https redirects and some http::respond too... Now how do I overcome the error I need those iRules too???
- Hannes_RappAfter each redirect or response statement in the other iRules, use 'event disable HTTP_RESPONSE' function. If you structure the iRule well, you can get away by specifying it just once. You can also merge your iRules so the use of this function can be avoided. This kind of change can take your app down, make sure you test in QA. Also check out Stanislas answer, he's right that you will not need to use HSTS iRule on HTTP VS. If possible, create a dedicated HTTPS VS (if you don't have yet), and use the HSTS iRule there.
- Stanislas_Piro2
Hi,
The HSTS irule must be applied to HTTPS VS and not HTTP.
to be sure this irule is executed before other, you can add priority to this irule event and disable event if Policy action is redirect.
when HTTP_RESPONSE priority 1 { if {[POLICY::targets http-reply] } { log local0. "LTM Policy action contains redirect. Disabling event" event disable return } set strictTransportSecurityHeader "Strict-Transport-Security" if { [HTTP::header exists $strictTransportSecurityHeader] } { HTTP::header remove $strictTransportSecurityHeader } HTTP::header insert $strictTransportSecurityHeader "max-age=31536000; includeSubDomains" }