Forum Discussion

bradley2100's avatar
bradley2100
Icon for Nimbostratus rankNimbostratus
Jan 10, 2019

Configuring LTM policies with request and response conditions

BIG IP VERSION 13.1.0.6

 

Afternoon.

 

The following LTM policy exists to insert security headers into responses when missing. The LTM policy is attached to a VS which performs virtual hosting using another LTM policy to switch the back-end pools depending on incoming header.

 

A new requirement to remove the X-Content-Type-Options nosniff header for specific sites hosted on this virtual server exists and the LTM policy was adjusted as below to include a request condition against the host isnot header, this however has resulted in unexpected behaviour where-by the header is no longer inserted regardless of whatever site is being requested.

 

Any ideas?

 

Code 

ltm policy pol-tp-http-header-apply-security-controls-inc-exclusions {
description "Edit headers on response to enable security controls"
last-modified 2019-01-10:14:09:44
requires { http }
rules {
    rl-tp-header-insert-x-content-type-options {
        actions {
            0 {
                http-header
                response
                insert
                name X-Content-Type-Options
                value nosniff
            }
        }
        conditions {
            0 {
                http-host
                host
                not
                values { site1.example.com site2.example.com }
            }
            1 {
                http-header
                response
                name X-Content-Type-Options
                not
                values { nosniff }
            }
        }
        description "Insert the x-content-type-options header set to no sniff"
        ordinal 2
    }
  • Try using an iRule instead. Policies are fine when they work, but there's more people that understand iRules than ltm policies and definitely a lot more in use so you'll end up hitting less bugs.