drodyc
Apr 13, 2021Nimbostratus
iFrame iRule
Trying to figure out how to combine these two together. The first section is in the current iRule on my VIP (Syntax might be a little off since its from memory). It just redirects users who isn't...
I am assuming in the second section that you meant to replace the X-Frame-Options header with "DENY" if the host name does not contain an element in the datagroup. (You have SAMEORIGIN for both the "then" and "else" portions of your "if" statement.) If so, something like this perhaps (syntax checked only):
when HTTP_REQUEST {
# If client IP not allowed to connect,
# redirect to HTTPS
if { ![class match [IP::client_addr] equals xxx] } {
#log local0. "Denied IP [IP::client_addr] Forwarding to HTTPS"
HTTP::respond 301 Location: https://[HTTP::host][HTTP::uri]
#} else {
#log local0. "Allowed IP [IP::client_addr]"
}
# Set variable to HTTP host name
# for HTTP response event use
set host [string tolower [HTTP::host]]
}
when HTTP_RESPONSE {
# Default is to deny iFrames
HTTP::header replace X-Frame-Options "DENY"
# If host name allows iFrame, replace
# X-Frame-Options header with SAMEORIGIN
if { [class match $host contains iFrameDataGroup] } {
HTTP::header replace X-Frame-Options "SAMEORIGIN"
}
}
I do not recommend leaving the log statements in production. I would comment them out, as shown in the example, unless they are needed for troubleshooting. I also assumed that iFrames were more often denied than allowed. If that is not the case, then you can put the HTTP::header replace with the DENY option as an else clause in the HTTP_RESPONSE section.
Lastly, in the first section, I changed the matchclass command to class match, as the latter is recommended over the former. (Matchclass is one of the older datagroup commands.)