Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

iFrame iRule


Trying to figure out how to combine these two together. 

The first section is in the current iRule on my VIP (Syntax might be a little off since its from memory). It just redirects users who isn't all the list to a https website. 

I have a distant end user requesting to have iFrame Headers activated for their application. How would I activate iFrame headers with just these users? I was thinking of making a datagroup with their network range. 

The second section is the closet thing I can find to activate iFrames with an iFrame datagroup. How do I frankenstein these together? I'm not even sure if this will give me the results I need. I'm not well verse in iRules or even programming in general. Thank you for your time!

when http_request {

# Check if client IP is not allowed. Then redirects
if {not [matchlass [IP:: client-addr] equals xxx]}{
log local 0. "Denied IP [IP:: client-addr] Fowarding to HTTPS"
 HTTP:: redirect https:////[getfield [HTTP::host}":"1}{http::ip} }
else } log local 0. "Allowed IP [ IP::client_addr]" }

when HTTP_REQUEST { set host [string tolower [HTTP::host]] } 
when HTTP_RESPONSE { if {[class match $host contains iFramedatagroup]} 
{ HTTP::header replace X-Frame-Options "SAMEORIGIN" ; }
else { HTTP::header replace X-Frame-Options "SAMEORIGIN" ; }}


Legacy Employee
Legacy Employee

I am assuming in the second section that you meant to replace the X-Frame-Options header with "DENY" if the host name does not contain an element in the datagroup. (You have SAMEORIGIN for both the "then" and "else" portions of your "if" statement.) If so, something like this perhaps (syntax checked only):

    # If client IP not allowed to connect,
    # redirect to HTTPS
    if { ![class match [IP::client_addr] equals xxx] } {
        #log local0. "Denied IP [IP::client_addr] Forwarding to HTTPS"
        HTTP::respond 301 Location: https://[HTTP::host][HTTP::uri]
    #} else {
        #log local0. "Allowed IP [IP::client_addr]"
    # Set variable to HTTP host name
    # for HTTP response event use
    set host [string tolower [HTTP::host]]
    # Default is to deny iFrames
    HTTP::header replace X-Frame-Options "DENY"
    # If host name allows iFrame, replace
    # X-Frame-Options header with SAMEORIGIN
    if { [class match $host contains iFrameDataGroup] } {
        HTTP::header replace X-Frame-Options "SAMEORIGIN"

I do not recommend leaving the log statements in production. I would comment them out, as shown in the example, unless they are needed for troubleshooting. I also assumed that iFrames were more often denied than allowed. If that is not the case, then you can put the HTTP::header replace with the DENY option as an else clause in the HTTP_RESPONSE section.

Lastly, in the first section, I changed the matchclass command to class match, as the latter is recommended over the former. (Matchclass is one of the older datagroup commands.)