iRules HTTP::header insert

Question

Hi&nbsp;
I am new to irules and applied the following simple iRule to a test VIP. &nbsp;
As you can see its supposed to inject the protocol and cipher version details to the http header. We can see the irule executing on the log but nothing shows up on the webserver responses.&nbsp;
Is there anything that I might have missed?&nbsp;
when HTTP_REQUEST {
  HTTP::header insert X-SSL-Protocol [SSL::cipher version]
  HTTP::header insert X-SSL-Cipher [SSL::cipher name]
  log local0. "Version:  [SSL::cipher version], Name: [SSL::cipher name]" 
}&nbsp;

andy_mcgrath · Answer

You are adding the Headers to the HTTP Request so unless the web server on the back end is taking the headers and adding them to it own HTTP Response you will not need them on the client side.
Not tested but you could try adding the headers to the HTTP Response with the following:
when HTTP_RESPONSE {
    HTTP::header insert X-SSL-Protocol [SSL::cipher version]
    HTTP::header insert X-SSL-Cipher [SSL::cipher name]
    log local0. "Version: [SSL::cipher version], Name: [SSL::cipher name]"
}

southern_shred1 · Answer

Thanks for your prompt response. That makes sense&nbsp;
Is it the case if we would like to see the response details on the "respons headers" on the webserver? Something like&nbsp;
x-fram-options: SAMEORIGIN
x-ssl-cipher: ECDHE-ECDSA-AES256-GCM-SHA384
X-SSL-PROTOCOL: TLSV1.2
X-SSL-PROTOCOL: TLSV1.2
x-xss-protection: 1, mode=block&nbsp;

andy_mcgrath · Answer

You need the web server to get those headers in the HTTP Request so your original iRule would do that. If you need your web server to add them to the HTTP Response then you will need to look at your web servers' configuration and/or code.&nbsp;If you don't want your web server to add the headers you could just have both iRule event run on the F5 so it inserts the Headers in the Request and Response&nbsp;e.g.&nbsp;when HTTP_REQUEST {
    HTTP::header insert X-SSL-Protocol [SSL::cipher version]
    HTTP::header insert X-SSL-Cipher [SSL::cipher name]
    log local0. "REQUEST, Version: [SSL::cipher version], Name: [SSL::cipher name]"
}
when HTTP_RESPONSE {
    HTTP::header insert X-SSL-Protocol [SSL::cipher version]
    HTTP::header insert X-SSL-Cipher [SSL::cipher name]
    log local0. "RESPONSE, Version: [SSL::cipher version], Name: [SSL::cipher name]"
}

southern_shred1 · Answer

Ah thanks that makes sense. In this case we only need to get those headers in the HTTP Request headed to the Web Server. The Webserver will then use this information to prompt a warning on the front page of a users browser if they are using the wrong version of tls.

southern_shred1 · Answer

This is what I see in my logs when iRule runs. Is there a need to run a tcpdump to confirm the insert?&nbsp;
info tmm1[19063]: Rule /Common/tlscipher_version : Version: TLSv1.2, Name: ECDHE-RSA-AES256-CBC-SHA&nbsp;

Forum Discussion

iRules HTTP::header insert

6 Replies

Recent Discussions

About shun list for L7 DDoS?

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

ASM instance creation

Can iRule mask the payload content on event logs of security

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

Related Content

APM AdAuth HTTP Header Insert iRule Switch Statement

Insert Client Certificate In Serverside HTTP Headers

iRule Header Insert

Need Help in iRule to Modify HTTP header parameter.

iRule for AFM IP Intelligence security policy to work with HTTP XFF (X-Forwarded-For) headers