Cirrushi
trying to achieve a grade a+ with ssllabs for my VS that have an Access Policy bound.
I'm running v12 and use the HSTS setting in the HTTP profile.
Testing my website with SSLLabs, I do not get it to see the HSTS functionality. This, because the 302 redirect to /my.policy response doesn't contains the HSTS header.
Has F5 overseen this use case? (I haven't seen any known issue about it on AskF5)
Anyone can advice a workaround?
Thanks
Alex
Strictly speaking, the HSTS header is irrelevant if the site doesn't have a corresponding "http" version. I've just now tested this scenario though, and it occurs as you describe. Interestingly, the other pages (my.policy page, etc) do honor the settings from the HTTP profile.
If you need to get around this for paperwork purposes, the following irule will get the header in there:
workaround for F5 bug ID 565554
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_RESPONSE_RELEASE {
if { [HTTP::header Location] eq "/my.policy" } {
HTTP::header replace "Strict-Transport-Security" "max-age=16070400 ; includeSubDomains"
}
}
CirrusHi Lucas
In my environment it works, but I have seen a condition where it doesn't work: if the Access Policy has a On-Demand certificate check. It seems to break the mechanism and the browser gets a SSL error. Any idea?
Thanks
Alex
CirrusAfter upgrading to 12.0 HF-1 and using the above iRule, we had no issue with /my.policy (with and without On-demand cert auth).
Got from F5 support the existing BUGID 565554, which is about
++ additionally:
Alex
CirrusAfter upgrading to 12.0 HF-1 and using the above iRule, we had no issue with /my.policy (with and without On-demand cert auth).
Got from F5 support the existing BUGID 565554, which is about
++ additionally:
Alex