Forum Discussion

DJDX21_252164's avatar
May 17, 2016

Strict-Transport-Security (HSTS) header throws Operation not supported errors

This is my iRule to add "Strict-Transport-Security" header to my http response code.

 

when HTTP_RESPONSE {
     set strictTransportSecurityHeader {Strict-Transport-Security}
     if { [HTTP::header exists $strictTransportSecurityHeader] } { 
          HTTP::header remove $strictTransportSecurityHeader
     }
    HTTP::header insert $strictTransportSecurityHeader {max-age=31536000; includeSubDomains}
}

This works fine and I get this "Strict-Transport-Security: max-age=31536000; includeSubDomains" as output.

 

But it throws warnings in monitoring tool

 

01220001:3: TCL error: /Common/StrictTransportSecurity_HSTS - Operation not supported (line 7) invoked from within "HTTP::header insert $strictTransportSecurityHeader {max-age=31536000; includeSubDomains}" Errors. Any idea what might be going wrong?

 

  • Do you see this error occurring upon every response, or just on rare occasions? Besides this rule, are there other iRules or LTM policies used?
  • Hi,

    replace :

    set strictTransportSecurityHeader {Strict-Transport-Security}
    

    by :

    set strictTransportSecurityHeader "Strict-Transport-Security"
    

    the use of {} define a list and not a string.

  • This is intermittent and there are other iRules too but none of them inserts HSTS and no LTM policies.
  • Since you mentioned you have other iRules.

    https://devcentral.f5.com/wiki/irules.HTTP__header.ashx

    HTTP::header insert ...
    If this command is executed after issuing the HTTP::redirect or HTTP::respond command, the F5 will become confused, generate an "Operation Not Supported" TCL error and reset the connection.

    Do you issue redirects or responses from the other iRules?

    • DJDX21_252164's avatar
      DJDX21_252164
      Icon for Cirrus rankCirrus
      Yeah, I other iRules I have http to https redirects and some http::respond too... Now how do I overcome the error I need those iRules too???
    • Hannes_Rapp_162's avatar
      Hannes_Rapp_162
      Icon for Nacreous rankNacreous
      After each redirect or response statement in the other iRules, use 'event disable HTTP_RESPONSE' function. If you structure the iRule well, you can get away by specifying it just once. You can also merge your iRules so the use of this function can be avoided. This kind of change can take your app down, make sure you test in QA. Also check out Stanislas answer, he's right that you will not need to use HSTS iRule on HTTP VS. If possible, create a dedicated HTTPS VS (if you don't have yet), and use the HSTS iRule there.
  • Since you mentioned you have other iRules.

    https://devcentral.f5.com/wiki/irules.HTTP__header.ashx

    HTTP::header insert ...
    If this command is executed after issuing the HTTP::redirect or HTTP::respond command, the F5 will become confused, generate an "Operation Not Supported" TCL error and reset the connection.

    Do you issue redirects or responses from the other iRules?

    • DJDX21_252164's avatar
      DJDX21_252164
      Icon for Cirrus rankCirrus
      Yeah, I other iRules I have http to https redirects and some http::respond too... Now how do I overcome the error I need those iRules too???
    • Hannes_Rapp's avatar
      Hannes_Rapp
      Icon for Nimbostratus rankNimbostratus
      After each redirect or response statement in the other iRules, use 'event disable HTTP_RESPONSE' function. If you structure the iRule well, you can get away by specifying it just once. You can also merge your iRules so the use of this function can be avoided. This kind of change can take your app down, make sure you test in QA. Also check out Stanislas answer, he's right that you will not need to use HSTS iRule on HTTP VS. If possible, create a dedicated HTTPS VS (if you don't have yet), and use the HSTS iRule there.
  • Hi,

    The HSTS irule must be applied to HTTPS VS and not HTTP.

    to be sure this irule is executed before other, you can add priority to this irule event and disable event if Policy action is redirect.

    when HTTP_RESPONSE priority 1 {
    if {[POLICY::targets http-reply] } {
        log local0. "LTM Policy action contains redirect. Disabling event"
        event disable
        return
    }
     set strictTransportSecurityHeader "Strict-Transport-Security"
     if { [HTTP::header exists $strictTransportSecurityHeader] } { 
          HTTP::header remove $strictTransportSecurityHeader
     }
    HTTP::header insert $strictTransportSecurityHeader "max-age=31536000; includeSubDomains"
    }