search

F5Networks / f5-appsvcs-extension

F5 BIG-IP Application Services 3 Extension
Apache License 2.0
163 stars 52 forks source link

Endpoint_Policy : clientSsl action is not correctly applied #802

Closed jrooty closed 4 months ago

jrooty commented 4 months ago

Environment

Summary

Disable "clientSsl" inside Endpoint_Policy does not work anymore.

Even the "enable": false, on TMOS the value is enabled.

{ "type": "clientSsl", "enable": false},

Steps To Reproduce

Steps to reproduce the behavior:

  1. Submit the following declaration:

"HTTP_POL_AP54321xP5_test_jll_20240209_1_svc_np_paas_echonet": {

                "class": "Endpoint_Policy",

                "rules": [

                    {

                        "name": "test_jll_20240209_1_svc_np_paas_echonet_",

                        "conditions": [

                            {

                                "type": "httpHeader",

                                "name": "Host",

                                "event": "request",

                                "all": {

                                    "operand": "starts-with",

                                    "values": [

                                        "test-jll-20240209-1.svc-np.paas.echonet"

                                    ]

                                }

                            }

                        ],

                        "actions": [

                            {

                                "type": "forward",

                                "event": "request",

                                "select": {

                                    "pool": {

                                        "use": "P_test_jll_20240209_1_svc_np_paas_echonet__http_443"

                                    }

                                }

                            },

                            {

                                "type": "clientSsl",

                                "enable": false

                            },

                            {

                                "type": "httpHeader",

                                "event": "response",

                                "insert": {

                                    "name": "X-XSS-Protection",

                                    "value": "0"

                                }

                            },

                            {

                                "type": "httpHeader",

                                "event": "response",

                                "insert": {

                                    "name": "X-Frame-Options",

                                    "value": "SAMEORIGIN"

                                }

                            },

                            {

                                "type": "httpHeader",

                                "event": "response",

                                "insert": {

                                    "name": "X-Content-Type-Options",

                                    "value": "nosniff"

                                }

                            }

                        ]

                    }

                ]

            }
  1. Observe on WebUI for example :

1. Forward traffic to pool '/TESTxJLL/AP54321xP5_test_jll_2024020_http_tcp_443/P_test_jll_20240209_1_svc_np_paas_echonet__http_443' at request time.

**2. Enable server SSL at request time.**

3. Insert HTTP Header named 'X-XSS-Protection' with value '0' at response time.

4. Insert HTTP Header named 'X-Frame-Options' with value 'SAMEORIGIN' at response time.

5. Insert HTTP Header named 'X-Content-Type-Options' with value 'nosniff' at response time

Expected Behavior

Should be : 2. Disable server SSL at request time.

Actual Behavior

Enable state even the value is false.

RobCupples commented 4 months ago

This example shows "enabled" instead of "enable".

Can you give {"type": "clientSsl", "enabled": false} a try?

mdditt2000 commented 4 months ago

Added AUTOTOOL-4238

jrooty commented 4 months ago

With this new property, it works correctly. The profile is disabled.

mdditt2000 commented 4 months ago

Thanks @RobCupples and @jrooty for verifying working change. Closing

jrooty commented 3 months ago

Tested with AS3 3.50, the issue is still there.
Need to support the previous behavior where "enable" property was supported in addition of the new property you have implemented ("enabled"). Thank you.