Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

iRule for multiple actions on a single HTTP Response

I'm trying to build a single iRule to possibly perform multiple actions on HTTP responses. The purpose of the iRule is to inspect the HTTP headers in all responses and insert all missing security headers before sending traffic back to the client.

My concern is that by using 'if' and 'elseif' only the first matching condition will be performed.

The intention is the following:

Check if header 1 is missing on the response to the client, and if it is, insert it

Then check if header 2 is missing, and if it is, insert it as well

Then check if header 3 is missing, and if it is, insert it as well

and so on until the last header check, and then finally sent the response to the client with all the missing headers added to it.

Is this possible in a single iRule? Or is it only possible by doing each check and action on separate iRules and then adding all of them to the virtual servers?

This is the initial draft for the iRule:

when HTTP_RESPONSE {
  if { !([ HTTP::header exists "X-Frame-Options" ])} { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" }
  elseif { !([ HTTP::header exists "X-XSS-Protection" ])} { HTTP::header insert "X-XSS-Protection" "1; mode=block" }
  elseif { !([ HTTP::header exists "X-Content-Type-Options" ])} { HTTP::header insert "X-Content-Type-Options" "'nosniff'" }
  elseif { !([ HTTP::header exists "Strict-Transport-Security" ])} { HTTP::header insert "Strict-Transport-Security" "max-age=16070400; includeSubDomains" }

}

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

If you use elseif, only one header will be inserted!

Split all conditions in multiple if commands to insert all missing headers.

0
Comments on this Answer
Comment made 27-Mar-2018 by wlopez 306

Just like you said with 'elseif' only the first matching condition gets executed.

Tried using only 'if' and it's working as intended. All missing headers get inserted to the responses.

Thanks for your help clarifying this behavior!

This is the final version only using 'if':

when HTTP_RESPONSE {
  if { !([ HTTP::header exists "X-Frame-Options" ])} { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" }
  if { !([ HTTP::header exists "X-XSS-Protection" ])} { HTTP::header insert "X-XSS-Protection" "1; mode=block" }
  if { !([ HTTP::header exists "X-Content-Type-Options" ])} { HTTP::header insert "X-Content-Type-Options" "'nosniff'" }
  if { !([ HTTP::header exists "Strict-Transport-Security" ])} { HTTP::header insert "Strict-Transport-Security" "max-age=16070400; includeSubDomains" }
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The entire iRule will be processed and as long as the if-conditionals are unique, you should have all the header inserts that you require. I haven't tried it though. Your iRule looks good on first pass.

0