Forum Discussion

Dan_L1's avatar
Dan_L1
Icon for Nimbostratus rankNimbostratus
Apr 19, 2016

iRule - HTTP REQUEST/RESPONSE - whitelist specific URI's

Hello,

I have an iRule I'm trying to implement for security headers, there are a handful of URI's that I need to whitelist, so far this is what I have:

when HTTP_REQUEST { 
  set uri [HTTP::uri]
}
when HTTP_RESPONSE {
 if { not ( [class match [$uri] contains dgl_securityheaders] ) } { 
  HTTP::header insert X-XSS-Protection "1; mode=block"
  HTTP::header insert X-Frame-Options "sameorigin"
  HTTP::header insert X-Content-Type-Options "nosniff"
 }
}

The issue I run into when putting this in place is the site will just give a connection reset, I'm guessing it's something to do with grabbing the URI variable, any ideas? Also, if I comment out the if statement, it works w/o issue, inside the dgl are just 2 URI's.

Thanks!

application delivery
iRules
security

3 Replies

Sort By
  • mimlo_61970's avatar
    mimlo_61970
    Icon for Cumulonimbus rankCumulonimbus
    Apr 19, 2016
    Can you look in /var/log/ltm and see if there are any errors at the time of a TCP reset. Sometimes if the script throws a runtime error, it results in a tcp reset. The reason should be in the log.
  • Dan_L1's avatar
    Dan_L1
    Icon for Nimbostratus rankNimbostratus
    Apr 19, 2016

    Ah yeah, it does have a ton of errors when I tested it, example:

    Apr 19 08:36:53 - err tmm[15025]: 01220001:3: TCL error: /Common/irule_securityHeaders  - invalid command name "/path/to/a/uri"     while executing "$uri"

    Looks like the way the URI is being ingested and then utilized with the HTTP response is not correct.

  • cjunior's avatar
    cjunior
    Icon for Nacreous rankNacreous
    Apr 19, 2016

    Hi, I think that issue would be the square brackets covering the $uri variable.

    So, try to do this: 

    if { not [class match $uri contains dgl_securityheaders] } {

    Regards.