NimbostratusWe are running 11.5.4 on several BIG IPs and want to implement HSTS. I understand the concept of using an iRule or a policy but I have a question. If our member web servers are doing HTTP only and SSL termination is configured on the F5, if we configure HSTS on the F5, does anything need to be done on the web servers? Thank you.
EmployeeYou shouldn't need to do anything differently.
However, HSTS is a commitment to SSL. So if you have any content that is legitimately and only accessible over HTTP, that will immediately break when the client gets the HSTS header.
EmployeeAside from enabling HSTS on the BIGIP and seeing if anything breaks, are there other ways to mitigate this before enabling HSTS?
Sure. If the only HTTP you (believe you) have is the redirects to HTTPS, open a wire capture and filter on HTTP responses other than 301/302. If you see any, then there's probably something dishing out HTTP responses that shouldn't be.
You also only want to enable HSTS on the HTTPS VIPs.
NimbostratusHi Guys,
In software version 12.x+ HSTS can be enabled in the HTTP profile. Does this mean we need to create separate HTTP profiles for our HTTPS VIPs in order to enable HSTS?
When I add HSTS into an HTTP profile on an HTTP virtual server the system accepts it. If I then try to add an irule to that VIP I get an error that says :
01070734:3: Configuration error: In Virtual Server (/Common/EXAMPLE_VIP_NAME) http with hsts enabled requires a client ssl profile
Please advise
EmployeeYes, you'd want a separate HTTP profile. Technically I guess the HTTP VIP shouldn't accept it, and it's generally a bad security practice to send an HSTS header in unencrypted traffic anyway.