Forum Discussion

amolari's avatar
amolari
Icon for Cirrostratus rankCirrostratus
Jan 04, 2016

HSTS and APM (ssllabs)

hi

 

trying to achieve a grade a+ with ssllabs for my VS that have an Access Policy bound.

 

I'm running v12 and use the HSTS setting in the HTTP profile.

 

Testing my website with SSLLabs, I do not get it to see the HSTS functionality. This, because the 302 redirect to /my.policy response doesn't contains the HSTS header.

 

Has F5 overseen this use case? (I haven't seen any known issue about it on AskF5)

 

Anyone can advice a workaround?

 

Thanks

 

Alex

 

  • After upgrading to 12.0 HF-1 and using the above iRule, we had no issue with /my.policy (with and without On-demand cert auth).

     

    Got from F5 support the existing BUGID 565554, which is about

     

    • not needing the workaround irule anymore (ID is mentioned in the irule above)

    ++ additionally:

     

    • missing HSTS header randomly seen (when serving APM objects)

    Alex

     

  • After upgrading to 12.0 HF-1 and using the above iRule, we had no issue with /my.policy (with and without On-demand cert auth).

     

    Got from F5 support the existing BUGID 565554, which is about

     

    • not needing the workaround irule anymore (ID is mentioned in the irule above)

    ++ additionally:

     

    • missing HSTS header randomly seen (when serving APM objects)

    Alex

     

  • Hi Lucas

     

    In my environment it works, but I have seen a condition where it doesn't work: if the Access Policy has a On-Demand certificate check. It seems to break the mechanism and the browser gets a SSL error. Any idea?

     

    Thanks

     

    Alex

     

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account

    Strictly speaking, the HSTS header is irrelevant if the site doesn't have a corresponding "http" version. I've just now tested this scenario though, and it occurs as you describe. Interestingly, the other pages (my.policy page, etc) do honor the settings from the HTTP profile.

    If you need to get around this for paperwork purposes, the following irule will get the header in there:

     workaround for F5 bug ID 565554
    
    when CLIENT_ACCEPTED {
      ACCESS::restrict_irule_events disable
    }
    
    when HTTP_RESPONSE_RELEASE {
      if { [HTTP::header Location] eq "/my.policy" } {
        HTTP::header replace "Strict-Transport-Security" "max-age=16070400 ; includeSubDomains"
      }
    }