Hi Sachin-Garg,
I have fairly long iRules but below I copied the compact version. This iRule attached to a VIP where ONLY client ssl profile has been applied but no server ssl.
All the pools referenced are listening on port 80 and expecting clear text (non-ssl) traffic except for the pool "mxz" (line #8)
This is a new application and needs ssl traffic continue all the way from the browser.
I haven't used and explored "policies" on the LTM but really like the way you have mentioned to solve the problem.
Are there any drawbacks using Policies instead of updating iRules in this case ?
if this POC works then I have 500+ similar VIP/iRule combo that will embrace this change.
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/login/data" } {
pool app8-web
} elseif { [HTTP::uri] starts_with "/app/rs"} {
pool mxz
} elseif { [HTTP::uri] starts_with "/v2.2/esa/api" } {
pool app9-esa
} elseif { [HTTP::uri] starts_with "/v2.1/esa/api" } {
pool app9-esa
} elseif { ([HTTP::uri] starts_with "/login/v1") or ([HTTP::uri] starts_with "/login/rs" ) or ([HTTP::uri] starts_with "/login/api" )} {
if { [HTTP::header value "Auth"] starts_with "Client"} {
HTTP::redirect "https://www.somedomain.com"
}
else {
pool login-app
}
}
}
when HTTP_RESPONSE {
if { !([HTTP::header exists "X-Frame-Options"])} { HTTP::header insert X-Frame-Options "SAMEORIGIN" }
if { !([HTTP::header exists "X-XSS-Protection"])} { HTTP::header insert X-XSS-Protection "1; mode=block" }
if { !([HTTP::header exists "X-Content-Type-Options"])} { HTTP::header insert X-Content-Type-Options "nosniff" }
if { !([HTTP::header exists "Content-Security-Policy"])} { HTTP::header insert Content-Security-Policy "frame-ancestors 'self' " }
if { !([HTTP::header exists "Strict-Transport-Security"])} { HTTP::header insert "Strict-Transport-Security" "max-age=16070400; includeSubdomains" }
}