Forum Discussion

drodyc's avatar
drodyc
Icon for Nimbostratus rankNimbostratus
Apr 13, 2021

iFrame iRule

Trying to figure out how to combine these two together. 

The first section is in the current iRule on my VIP (Syntax might be a little off since its from memory). It just redirects users who isn't all the list to a https website. 

I have a distant end user requesting to have iFrame Headers activated for their application. How would I activate iFrame headers with just these users? I was thinking of making a datagroup with their network range. 

The second section is the closet thing I can find to activate iFrames with an iFrame datagroup. How do I frankenstein these together? I'm not even sure if this will give me the results I need. I'm not well verse in iRules or even programming in general. Thank you for your time!

when http_request {

# Check if client IP is not allowed. Then redirects
if {not [matchlass [IP:: client-addr] equals xxx]}{
log local 0. "Denied IP [IP:: client-addr] Fowarding to HTTPS"
 HTTP:: redirect https:////[getfield [HTTP::host}":"1}{http::ip} }
else } log local 0. "Allowed IP [ IP::client_addr]" }
}

when HTTP_REQUEST { set host [string tolower [HTTP::host]] } 
when HTTP_RESPONSE { if {[class match $host contains iFramedatagroup]} 
{ HTTP::header replace X-Frame-Options "SAMEORIGIN" ; }
else { HTTP::header replace X-Frame-Options "SAMEORIGIN" ; }}

1 Reply

  • I am assuming in the second section that you meant to replace the X-Frame-Options header with "DENY" if the host name does not contain an element in the datagroup. (You have SAMEORIGIN for both the "then" and "else" portions of your "if" statement.) If so, something like this perhaps (syntax checked only):

    when HTTP_REQUEST {
        # If client IP not allowed to connect,
        # redirect to HTTPS
        if { ![class match [IP::client_addr] equals xxx] } {
            #log local0. "Denied IP [IP::client_addr] Forwarding to HTTPS"
            HTTP::respond 301 Location: https://[HTTP::host][HTTP::uri]
        #} else {
            #log local0. "Allowed IP [IP::client_addr]"
        }
        # Set variable to HTTP host name
        # for HTTP response event use
        set host [string tolower [HTTP::host]]
    }
     
    when HTTP_RESPONSE {
        # Default is to deny iFrames
        HTTP::header replace X-Frame-Options "DENY"
        # If host name allows iFrame, replace
        # X-Frame-Options header with SAMEORIGIN
        if { [class match $host contains iFrameDataGroup] } {
            HTTP::header replace X-Frame-Options "SAMEORIGIN"
        }
    }

    I do not recommend leaving the log statements in production. I would comment them out, as shown in the example, unless they are needed for troubleshooting. I also assumed that iFrames were more often denied than allowed. If that is not the case, then you can put the HTTP::header replace with the DENY option as an else clause in the HTTP_RESPONSE section.

    Lastly, in the first section, I changed the matchclass command to class match, as the latter is recommended over the former. (Matchclass is one of the older datagroup commands.)