Forum Discussion

DJDX21_252164's avatar
DJDX21_252164
Icon for Cirrus rankCirrus
May 17, 2016

Strict-Transport-Security (HSTS) header throws Operation not supported errors

This is my iRule to add "Strict-Transport-Security" header to my http response code.

 

when HTTP_RESPONSE {
     set strictTransportSecurityHeader {Strict-Transport-Security}
     if { [HTTP::header exists $strictTransportSecurityHeader] } { 
          HTTP::header remove $strictTransportSecurityHeader
     }
    HTTP::header insert $strictTransportSecurityHeader {max-age=31536000; includeSubDomains}
}

This works fine and I get this "Strict-Transport-Security: max-age=31536000; includeSubDomains" as output.

 

But it throws warnings in monitoring tool

 

01220001:3: TCL error: /Common/StrictTransportSecurity_HSTS - Operation not supported (line 7) invoked from within "HTTP::header insert $strictTransportSecurityHeader {max-age=31536000; includeSubDomains}" Errors. Any idea what might be going wrong?

 

BIG-IP
devops
hsts
iRules
security

10 Replies

Sort By
  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    May 17, 2016
    Do you see this error occurring upon every response, or just on rare occasions? Besides this rule, are there other iRules or LTM policies used?
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    May 17, 2016

    Hi,

    replace :

    set strictTransportSecurityHeader {Strict-Transport-Security}

    by :

    set strictTransportSecurityHeader "Strict-Transport-Security"

    the use of {} define a list and not a string.

  • DJDX21_252164's avatar
    DJDX21_252164
    Icon for Cirrus rankCirrus
    May 18, 2016
    This is intermittent and there are other iRules too but none of them inserts HSTS and no LTM policies.
  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Icon for Nacreous rankNacreous
    May 18, 2016

    Since you mentioned you have other iRules.

    https://devcentral.f5.com/wiki/irules.HTTP__header.ashx

    HTTP::header insert ...
    If this command is executed after issuing the HTTP::redirect or HTTP::respond command, the F5 will become confused, generate an "Operation Not Supported" TCL error and reset the connection.

    Do you issue redirects or responses from the other iRules?

    • DJDX21_252164's avatar
      DJDX21_252164
      Icon for Cirrus rankCirrus
      May 18, 2016
      Yeah, I other iRules I have http to https redirects and some http::respond too... Now how do I overcome the error I need those iRules too???
    • Hannes_Rapp_162's avatar
      Hannes_Rapp_162
      Icon for Nacreous rankNacreous
      May 18, 2016
      After each redirect or response statement in the other iRules, use 'event disable HTTP_RESPONSE' function. If you structure the iRule well, you can get away by specifying it just once. You can also merge your iRules so the use of this function can be avoided. This kind of change can take your app down, make sure you test in QA. Also check out Stanislas answer, he's right that you will not need to use HSTS iRule on HTTP VS. If possible, create a dedicated HTTPS VS (if you don't have yet), and use the HSTS iRule there.
  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    May 18, 2016

    Since you mentioned you have other iRules.

    https://devcentral.f5.com/wiki/irules.HTTP__header.ashx

    HTTP::header insert ...
    If this command is executed after issuing the HTTP::redirect or HTTP::respond command, the F5 will become confused, generate an "Operation Not Supported" TCL error and reset the connection.

    Do you issue redirects or responses from the other iRules?

    • DJDX21_252164's avatar
      DJDX21_252164
      Icon for Cirrus rankCirrus
      May 18, 2016
      Yeah, I other iRules I have http to https redirects and some http::respond too... Now how do I overcome the error I need those iRules too???
    • Hannes_Rapp's avatar
      Hannes_Rapp
      Icon for Nimbostratus rankNimbostratus
      May 18, 2016
      After each redirect or response statement in the other iRules, use 'event disable HTTP_RESPONSE' function. If you structure the iRule well, you can get away by specifying it just once. You can also merge your iRules so the use of this function can be avoided. This kind of change can take your app down, make sure you test in QA. Also check out Stanislas answer, he's right that you will not need to use HSTS iRule on HTTP VS. If possible, create a dedicated HTTPS VS (if you don't have yet), and use the HSTS iRule there.
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    May 18, 2016

    Hi,

    The HSTS irule must be applied to HTTPS VS and not HTTP.

    to be sure this irule is executed before other, you can add priority to this irule event and disable event if Policy action is redirect.

    when HTTP_RESPONSE priority 1 {
if {[POLICY::targets http-reply] } {
    log local0. "LTM Policy action contains redirect. Disabling event"
    event disable
    return
}
 set strictTransportSecurityHeader "Strict-Transport-Security"
 if { [HTTP::header exists $strictTransportSecurityHeader] } { 
      HTTP::header remove $strictTransportSecurityHeader
 }
HTTP::header insert $strictTransportSecurityHeader "max-age=31536000; includeSubDomains"
}