Created
June 25, 2018 14:42
-
-
Save PFortin93/61fd59ed776b9896ca890a537ee88bc5 to your computer and use it in GitHub Desktop.
Enables HSTS for a given array of domains via F5 iRule for LTM
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #HSTS iRule | |
| #TL;DR Adds HSTS header set to expire 1 year from client accept to domains in array | |
| #By: Pierce Fortin ([email protected]) | |
| #Sets expire data to 1 year from client accept | |
| #Checks for domain being requested on HTTP_Request, Sets flag for response rewrite if match | |
| #If match, It then checks for HSTS as existing, if it doesn't exist it adds HSTS, Based on 1 year from when the client accepted | |
| #If match and header !exist, It adds it. | |
| #v1.0 6/18/2018 Initial write | |
| when RULE_INIT | |
| { | |
| set static::hstsDebugOn 0 | |
| } | |
| when CLIENT_ACCEPTED | |
| { | |
| set logPrefix "[IP::client_addr]:[TCP::client_port]:hsts:\[HTTPS\]:\t" | |
| if { $static::hstsDebugOn } { log local0. "$logPrefix: Client accepted" } | |
| #On client accept, Set expiration to 1 year from now | |
| set static::expires [clock scan "1 year"] | |
| } | |
| when HTTP_REQUEST { | |
| if { $static::hstsDebugOn } { log local0. "$logPrefix: ### Begin processing Incoming" } | |
| set ishstsDomain 0 | |
| array set hstsDomains | |
| { | |
| "domain.com" | |
| "domain2.com" | |
| } | |
| foreach domain [array get hstsDomains] | |
| { | |
| if { $static::hstsDebugOn } { log local0. "$logPrefix: Checking [HTTP::host] against $domain" } | |
| if { [string tolower [HTTP::host]] eq [string tolower $domain] } { | |
| if { $static::hstsDebugOn } { log local0. "$logPrefix: Current request is an hsts domain. Processing" } | |
| set ishstsDomain 1 | |
| } | |
| } | |
| } | |
| when HTTP_RESPONSE { | |
| if { $static::hstsDebugOn } { log local0. "$logPrefix: Processing Response" } | |
| if { $ishstsDomain eq 1 } { | |
| if { $static::hstsDebugOn } { log local0. "$logPrefix: Current request is an hsts domain. Inserting hsts" } | |
| if { not([HTTP::header exists "Stroct-Transport-Security"])}{ | |
| if { $static::hstsDebugOn } { log local0. "$logPrefix: Could not find existing STS header. Inserting" } | |
| HTTP::header insert Strict-Transport-Security "max-age=[expr {$static::expires - [clock seconds]}]; includeSubDomains" | |
| } | |
| else { | |
| if { $static::hstsDebugOn } { log local0. "$logPrefix: Found existing X-FRAME-OPTIONS header, Replacing" } | |
| HTTP::header replace Strict-Transport-Security "max-age=[expr {$static::expires - [clock seconds]}]; includeSubDomains" | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment