Forum Discussion

StephenGonsalv1's avatar
StephenGonsalv1
Icon for Nimbostratus rankNimbostratus
Jan 22, 2018

Irule Clubbing due to TCL errors.

Hi Guys,

 

Need help to combine these irules.

 

Code

when HTTP_REQUEST { set http_uri [string tolower [HTTP::uri]] switch -glob ${http_uri} { "/ib/*" { } "/robots.txt" { } "/favicon.ico" { } "/rsabackchannel/hbibservice.svc" { if { [class match [IP::client_addr] equals FynSin_IPs] } { } else { HTTP::respond 301 noserver Location "; } } default { HTTP::respond 301 noserver Location "; } }

 

}

when HTTP_REQUEST { set version [SSL::cipher version] set cipher [SSL::cipher name] set oldsite [HTTP::host] set encode [b64encode $oldsite] Check for less than TLSv1.2. This prevents SSLv2, SSLv3, TLSv1, and TLSv1.1 (TLSv1.0 is returned as TLSv1 by [SSL::cipher version]). switch -glob $version { "TLSv1.2" { do nothting } default { When browser cannot negotiate at least TLSv1.1 redirect to a unencrypted page with an informational error. Set cache control headers to prevent proxies from caching the response. The cache control headers shouldn't be necessary for a 302, but it doesn't do any harm setting them. HTTP::respond 302 Location "http://y.y.y.y.com/?$encode" Cache-Control No-Cache Pragma No-Cache Connection Close

 

         Log details of the SSL handshake and browser user-agent
         Consider using High Speed Logging instead to improve performance: https://devcentral.f5.com/wiki/iRules.hsl.ashx
        log local0. "[IP::client_addr]:[TCP::client_port]:\
           \[SSL::cipher version\]: [SSL::cipher version],\
          \[SSL::cipher name\]: [SSL::cipher name],\
          \[SSL::cipher bits\]: [SSL::cipher bits],\
          U-A: [HTTP::header User-Agent]"
    }
}

}

 

Cheers Steve

 

3 Replies

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus

    Here you are:

    when HTTP_REQUEST {
        set version [SSL::cipher version]
        set cipher [SSL::cipher name]
        set oldsite [HTTP::host]
        set encode [b64encode $oldsite] 
    
         Check for less than TLSv1.2. This prevents SSLv2, SSLv3, TLSv1, and TLSv1.1 (TLSv1.0 is returned as TLSv1 by [SSL::cipher version]). 
    
        switch -glob $version { 
            "TLSv1.2" { 
                 do nothing
            }
            default { 
                 When browser cannot negotiate at least TLSv1.2
                 redirect to an unencrypted page with an informational error.
                 Set cache control headers to prevent proxies from caching the response.
                 The cache control headers shouldn't be necessary for a 302,
                 but it doesn't do any harm setting them.
    
                HTTP::respond 302 Location "http://y.y.y.y.com/?$encode" Cache-Control No-Cache Pragma No-Cache Connection Close
    
                 Log details of the SSL handshake and browser user-agent
                 Consider using High Speed Logging instead to improve performance: https://devcentral.f5.com/wiki/iRules.hsl.ashx
                log local0. "[IP::client_addr]:[TCP::client_port]:\
                   \[SSL::cipher version\]: [SSL::cipher version],\
                  \[SSL::cipher name\]: [SSL::cipher name],\
                  \[SSL::cipher bits\]: [SSL::cipher bits],\
                  U-A: [HTTP::header User-Agent]"
            }
        }
    
        set http_uri [string tolower [HTTP::uri]]
    
        switch -glob ${http_uri} {
            "/ib/*" {
                 do nothing
            }
            "/robots.txt" {
                 do nothing
            }
            "/favicon.ico" {
                 do nothing
            }
            "/rsabackchannel/hbibservice.svc" {
                if { [class match [IP::client_addr] equals FynSin_IPs] } {
                     do nothing
                } else {
                    HTTP::respond 301 noserver Location "https://x.x.x.x.com"
                    return
                }
            "/sitecore*" } {
                HTTP::respond 301 Location "https://[HTTP::host]" Connection Close
                return
            } default {
                HTTP::respond 301 noserver Location "https://x.x.x.x.com";
            }
        }
    }
    
  • Code
    `
    
    Still seeing the following TCL errors
    
     TCL error: /EXT/I_TLS_Redirect  - Operation not supported. Multiple redirect/respond invocations not allowed (line 1) invoked from within "HTTP::respond 302 Location "[http://obsolete.heritage.com.au/?](http://y.y.y.y.com/?)$encode" Cache-Control No-Cache Pragma No-Cache Connection Close" ("default" arm line 7) invoked from within "switch -glob $version { "TLSv1.2" {  do nothting } default {  When browser cannot negotiate at least TLSv1.1   redirect to a unen..."
    
    Following are the I rules
    1)
    when CACHE_RESPONSE {
        CACHE::expire
      }
    
    when HTTP_RESPONSE { 
      Remove all instances of the Server header 
      HTTP::header remove Server 
    
     Remove all headers starting with x- (i.e. X-Powered-By, X-AspNet-Version, X-AspNetMvc-Version)
    
    foreach header_name [HTTP::header names] { 
          if {[string match -nocase x-* $header_name]}{ 
             HTTP::header remove $header_name 
          } 
       } 
    
     }
    
    2)
    when HTTP_REQUEST {
        if { [string tolower [HTTP::uri]] starts_with "/sitecore" } {
            HTTP::respond 301 Location "https://[HTTP::host]"
        }
    }
    (need to add the following to this following to this request)
    Any hit to [https://x.x.x.x.com/](https://x.x.x.x.com/)[URIPATH]
    to do a 301 permanent redirect to
    [https://wwwx.x.x.x.com.au/](https://wwwx.x.x.x.com.au/)[URIPATH]
    
    =======================================================
    3)
    when CLIENT_ACCEPTED {
     set static::expires [clock scan "1 year"]
    }
    when HTTP_RESPONSE {
     if { [IP::client_addr] starts_with 10. } {
     }
     else {
       HTTP::header insert Strict-Transport-Security "max-age=[expr {$static::expires
       - [clock seconds]}];"
     }
    
     }
    
    4)
    when HTTP_REQUEST {
    set version [SSL::cipher version]
    set cipher  [SSL::cipher name]
    set oldsite [HTTP::host]
    set encode  [b64encode $oldsite]
         Check for less than TLSv1.2. This prevents SSLv2, SSLv3, TLSv1, and TLSv1.1 (TLSv1.0 is returned as TLSv1 by [SSL::cipher version]).
        switch -glob $version {
            "TLSv1.2" { 
                     do nothting
                    }
            default {
                 When browser cannot negotiate at least TLSv1.1
                   redirect to a unencrypted page with an informational error.
                 Set cache control headers to prevent proxies from caching the response.
                 The cache control headers shouldn't be necessary for a 302, 
                   but it doesn't do any harm setting them.
                HTTP::respond 302 Location "[http://y.y.y.y.com/?](http://y.y.y.y.com/?)$encode" Cache-Control No-Cache Pragma No-Cache Connection Close
    
    `         Log details of the SSL handshake and browser user-agent
             Consider using High Speed Logging instead to improve performance: https://clouddocs.f5.com/api/irules/hsl.html
            log local0. "[IP::client_addr]:[TCP::client_port]:\
               \[SSL::cipher version\]: [SSL::cipher version],\
              \[SSL::cipher name\]: [SSL::cipher name],\
              \[SSL::cipher bits\]: [SSL::cipher bits],\
              U-A: [HTTP::header User-Agent]"
        }
    }

    }

     

    Cheers Steve

     

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus

    I have combined all your irules into one:

    when CLIENT_ACCEPTED {
        set static::expires [clock scan "1 year"]
    }
    
    when HTTP_REQUEST {
        set version [SSL::cipher version]
        set cipher [SSL::cipher name]
        set oldsite [HTTP::host]
        set encode [b64encode $oldsite]
    
         Check for less than TLSv1.2. This prevents SSLv2, SSLv3, TLSv1, and TLSv1.1 (TLSv1.0 is returned as TLSv1 by [SSL::cipher version]).
    
        switch -glob $version {
            "TLSv1.2" {
                 do nothing
            }
            default {
                 When browser cannot negotiate at least TLSv1.2
                 redirect to an unencrypted page with an informational error.
                 Set cache control headers to prevent proxies from caching the response.
                 The cache control headers shouldn't be necessary for a 302,
                 but it doesn't do any harm setting them.
    
                HTTP::respond 302 Location "http://y.y.y.y.com/?$encode" Cache-Control No-Cache Pragma No-Cache Connection Close
                return
    
                 Log details of the SSL handshake and browser user-agent
                 Consider using High Speed Logging instead to improve performance: https://devcentral.f5.com/wiki/iRules.hsl.ashx
                log local0. "[IP::client_addr]:[TCP::client_port]:\
                   \[SSL::cipher version\]: [SSL::cipher version],\
                  \[SSL::cipher name\]: [SSL::cipher name],\
                  \[SSL::cipher bits\]: [SSL::cipher bits],\
                  U-A: [HTTP::header User-Agent]"
            }
        }
    
        set http_uri [string tolower [HTTP::uri]]
    
        switch -glob ${http_uri} {
            "/ib/*" {
                 do nothing
            }
            "/robots.txt" {
                 do nothing
            }
            "/favicon.ico" {
                 do nothing
            }
            "/sitecore*" } {
                HTTP::respond 301 Location "https://[HTTP::host]" Connection Close
                return
            }
            "/rsabackchannel/hbibservice.svc" {
                if { [class match [IP::client_addr] equals FynSin_IPs] } {
                     do nothing
                } else {
                    HTTP::respond 301 noserver Location "https://x.x.x.x.com" Connection Close
                    return
                }
            } default {
                HTTP::respond 301 noserver Location "https://x.x.x.x.com" Connection Close
                return
            }
        }
    }
    
    when HTTP_RESPONSE {
         Remove all instances of the Server header
        HTTP::header remove Server
    
         Remove all headers starting with x- (i.e. X-Powered-By, X-AspNet-Version, X-AspNetMvc-Version)
        foreach header_name [HTTP::header names] {
            if {[string match -nocase x-* $header_name]}{
                HTTP::header remove $header_name
            }
        }
    
        if { [IP::client_addr] starts_with 10. } {
             Do nothing.
        } else {
           HTTP::header insert Strict-Transport-Security "max-age=[expr {$static::expires - [clock seconds]}];"
        }
    }
    
    when CACHE_RESPONSE {
        CACHE::expire
    }