Forum Discussion
StephenGonsalv1
Jan 24, 2018Nimbostratus
Code
`
Still seeing the following TCL errors
TCL error: /EXT/I_TLS_Redirect - Operation not supported. Multiple redirect/respond invocations not allowed (line 1) invoked from within "HTTP::respond 302 Location "[http://obsolete.heritage.com.au/?](http://y.y.y.y.com/?)$encode" Cache-Control No-Cache Pragma No-Cache Connection Close" ("default" arm line 7) invoked from within "switch -glob $version { "TLSv1.2" { do nothting } default { When browser cannot negotiate at least TLSv1.1 redirect to a unen..."
Following are the I rules
1)
when CACHE_RESPONSE {
CACHE::expire
}
when HTTP_RESPONSE {
Remove all instances of the Server header
HTTP::header remove Server
Remove all headers starting with x- (i.e. X-Powered-By, X-AspNet-Version, X-AspNetMvc-Version)
foreach header_name [HTTP::header names] {
if {[string match -nocase x-* $header_name]}{
HTTP::header remove $header_name
}
}
}
2)
when HTTP_REQUEST {
if { [string tolower [HTTP::uri]] starts_with "/sitecore" } {
HTTP::respond 301 Location "https://[HTTP::host]"
}
}
(need to add the following to this following to this request)
Any hit to [https://x.x.x.x.com/](https://x.x.x.x.com/)[URIPATH]
to do a 301 permanent redirect to
[https://wwwx.x.x.x.com.au/](https://wwwx.x.x.x.com.au/)[URIPATH]
=======================================================
3)
when CLIENT_ACCEPTED {
set static::expires [clock scan "1 year"]
}
when HTTP_RESPONSE {
if { [IP::client_addr] starts_with 10. } {
}
else {
HTTP::header insert Strict-Transport-Security "max-age=[expr {$static::expires
- [clock seconds]}];"
}
}
4)
when HTTP_REQUEST {
set version [SSL::cipher version]
set cipher [SSL::cipher name]
set oldsite [HTTP::host]
set encode [b64encode $oldsite]
Check for less than TLSv1.2. This prevents SSLv2, SSLv3, TLSv1, and TLSv1.1 (TLSv1.0 is returned as TLSv1 by [SSL::cipher version]).
switch -glob $version {
"TLSv1.2" {
do nothting
}
default {
When browser cannot negotiate at least TLSv1.1
redirect to a unencrypted page with an informational error.
Set cache control headers to prevent proxies from caching the response.
The cache control headers shouldn't be necessary for a 302,
but it doesn't do any harm setting them.
HTTP::respond 302 Location "[http://y.y.y.y.com/?](http://y.y.y.y.com/?)$encode" Cache-Control No-Cache Pragma No-Cache Connection Close
` Log details of the SSL handshake and browser user-agent
Consider using High Speed Logging instead to improve performance: https://clouddocs.f5.com/api/irules/hsl.html
log local0. "[IP::client_addr]:[TCP::client_port]:\
\[SSL::cipher version\]: [SSL::cipher version],\
\[SSL::cipher name\]: [SSL::cipher name],\
\[SSL::cipher bits\]: [SSL::cipher bits],\
U-A: [HTTP::header User-Agent]"
}
}
}
 
Cheers Steve