Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

HSTS help with Server Name Identification

Hi,

I created an iRule to add HSTS on my VS as shown below. This is working. when HTTP_RESPONSE { HTTP::header insert Strict-Transport-Security "max-age=31536000; includeSubDomains" }

Now, for my VS, I added SNI (I have the three SSL client profiles and enabled it) so my VS can respond to non-www, and www on the one IP address. SSL key is a SSL SAN key and contains the non-www and www names.

When I go to SSL Labs, the non-www gets an A+. It shows HSTS is enabled. However, in the www site, SSL Labs gives it an A. It says HSTS is not enabled.

What am I missing here?

Thanks

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Eddie,

you could try to insert the HSTS headers even for your redirects.

HTTP::respond 301 "Location" "YourTargetURL" "Strict-Transport-Security" "max-age=31536000; includeSubDomains"

Cheers, Kai

0
Comments on this Answer
Comment made 14-Nov-2016 by EddieJK 13

Thanks Kai. That did the trick!

0
Comment made 16-Nov-2016 by Kai Wilke 7294

You're welcome! ;-)

Cheers, Kai

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Try accessing the two sites from a browser client with Fiddler installed. See if you're getting the Strict-Transport-Security header from both sites.

1
Comments on this Answer
Comment made 14-Nov-2016 by EddieJK 13

Thanks for that. I wasn't able to see the HSTS. I looked at the code, and they were doing a redirect to non-www. After I removed the redirect, it worked.

0
Comment made 14-Nov-2016 by EddieJK 13

Actually we don't want a separate www site. We have a CNAME record pointing www site to the non-www. Fiddler isn't showing HSTS until the redirection occurs.

0