Itop

iRules -> Content_segurity_policy_AGD

Original

when HTTP_REQUEST {
    #para agd
    if { [HTTP::host] eq "agd.una.ac.cr" } {
        HTTP::redirect "https://access.una.ac.cr[HTTP::uri]"
    }
}

when HTTP_RESPONSE {
    #para agd
    HTTP::header replace "Content-Security-Policy" "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; ; connect-src 'self' https://access.una.ac.cr;"
    
}

when ACCESS_ACL_ALLOWED {
    #para itop
    #Set the SNI value (e.g. HTTP::host)
    set sni_value [getfield [HTTP::host] ":" 1]
}

when SERVERSSL_CLIENTHELLO_SEND {
    #para ITOP
    # SNI extension record as defined in RFC 3546/3.1
    #
    # - TLS Extension Type                =  int16( 0 = SNI ) 
    # - TLS Extension Length              =  int16( $sni_length + 5 byte )
    #    - SNI Record Length              =  int16( $sni_length + 3 byte)
    #       - SNI Record Type             =   int8( 0 = HOST )
    #          - SNI Record Value Length  =  int16( $sni_length )
    #          - SNI Record Value         =    str( $sni_value )
    #
    
    # Calculate the length of the SNI value, Compute the SNI Record / TLS extension fields and add the result to the SERVERSSL_CLIENTHELLO 
    SSL::extensions insert [binary format SSScSa* 0 [expr { [set sni_length [string length $sni_value]] + 5 }] [expr { $sni_length + 3 }] 0 $sni_length $sni_value]
}

• prueba1

when HTTP_REQUEST {
    #para agd
    if { [HTTP::host] eq "agd.una.ac.cr" } {
        HTTP::redirect "https://access.una.ac.cr[HTTP::uri]"
    }
    

    
    # Marcar si es una petición a Itop
    #if { [HTTP::host] eq "itop.una.ac.cr" or [HTTP::path] starts_with "/itop" } {
     #   set is_itop 1
     #   log local0."[HTTP::host]"
    #} else {
    #    set is_itop 0
    #}
    
}

when HTTP_RESPONSE {
    #para agd
    HTTP::header replace "Content-Security-Policy" "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; ; connect-src 'self' https://access.una.ac.cr;"
    
}

when ACCESS_ACL_ALLOWED {

    #log local0."[HTTP::host]"
    if { [HTTP::host] eq "itop.una.ac.cr" or [HTTP::path] starts_with "/itop" } {
        set sni_value [getfield [HTTP::host] ":" 1]
        log local0."[HTTP::host]"
    }
  
    # Solo para Itop
    #if { [info exists is_itop] and $is_itop == 1 } {
     #   set sni_value [getfield [HTTP::host] ":" 1]
    #}
}

when SERVERSSL_CLIENTHELLO_SEND {
    #para ITOP
    # SNI extension record as defined in RFC 3546/3.1
    #
    # - TLS Extension Type                =  int16( 0 = SNI ) 
    # - TLS Extension Length              =  int16( $sni_length + 5 byte )
    #    - SNI Record Length              =  int16( $sni_length + 3 byte)
    #       - SNI Record Type             =   int8( 0 = HOST )
    #          - SNI Record Value Length  =  int16( $sni_length )
    #          - SNI Record Value         =    str( $sni_value )
    #
    
    # Calculate the length of the SNI value, Compute the SNI Record / TLS extension fields and add the result to the SERVERSSL_CLIENTHELLO 
    if { [info exists sni_value] } {
        SSL::extensions insert [binary format SSScSa* 0 [expr { [set sni_length [string length $sni_value]] + 5 }] [expr { $sni_length + 3 }] 0 $sni_length $sni_value]
    }
}

• Sirviendo para itop

when HTTP_REQUEST {
    #para agd
    if { [HTTP::host] eq "agd.una.ac.cr" } {
        HTTP::redirect "https://access.una.ac.cr[HTTP::uri]"
    }
    

    ##################################################################
    # ITOP: Solicitudes GET envia & en lugar de & (& codificado )
    ##################################################################
    if { [HTTP::uri] contains "&" } {

        # Crear variable para remplazar el & por el carácter real &        
        set cleaned_uri [string map {"&" "&"} [HTTP::uri]]

        # Remplzar el valor de HTTP::uri por la nueva cadena
        HTTP::uri $cleaned_uri
    }
 
}

when HTTP_RESPONSE {

    #para agd
    #HTTP::header replace "Content-Security-Policy" "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; ; connect-src 'self' https://access.una.ac.cr;"
    
    # Remover headers que bloquean el embedding en APM
    if { [HTTP::header exists "X-Frame-Options"] } {
        HTTP::header remove "X-Frame-Options"

    }
    

}

when ACCESS_ACL_ALLOWED {

    ##################################################################
    # ITOP: Establecer sni_value = itop.una.ac.cr
    ##################################################################
    if { [HTTP::host] eq "itop.una.ac.cr" or [HTTP::path] starts_with "/itop" } {
        set sni_value [getfield [HTTP::host] ":" 1]
    }
  

}

when SERVERSSL_CLIENTHELLO_SEND {


    #para ITOP
    # SNI extension record as defined in RFC 3546/3.1
    #
    # - TLS Extension Type                =  int16( 0 = SNI ) 
    # - TLS Extension Length              =  int16( $sni_length + 5 byte )
    #    - SNI Record Length              =  int16( $sni_length + 3 byte)
    #       - SNI Record Type             =   int8( 0 = HOST )
    #          - SNI Record Value Length  =  int16( $sni_length )
    #          - SNI Record Value         =    str( $sni_value )
    #
    
    # Calculate the length of the SNI value, Compute the SNI Record / TLS extension fields and add the result to the SERVERSSL_CLIENTHELLO 
    
    ##################################################################
    # Establecer uso de variable sni_value si existe en ACCESS_ACL_ALLOWED
    ##################################################################
    if { [info exists sni_value] } {
        SSL::extensions insert [binary format SSScSa* 0 [expr { [set sni_length [string length $sni_value]] + 5 }] [expr { $sni_length + 3 }] 0 $sni_length $sni_value]
    }
}

• para depurar sigesa

when HTTP_REQUEST {
    #para agd
    if { [HTTP::host] eq "agd.una.ac.cr" } {
        HTTP::redirect "https://access.una.ac.cr[HTTP::uri]"
    }
    
    ##################################################################
    # Logging detallado para todas las requests
    ##################################################################
    log local0. "============================================"
    log local0. "REQUEST - Host: [HTTP::host]"
    log local0. "REQUEST - Path: [HTTP::path]"
    log local0. "REQUEST - URI: [HTTP::uri]"
    log local0. "REQUEST - Method: [HTTP::method]"
    log local0. "REQUEST - Client: [IP::client_addr]"
    if { [HTTP::header exists "Referer"] } {
        log local0. "REQUEST - Referer: [HTTP::header "Referer"]"
    }
    
    ##################################################################
    # ITOP: Solicitudes GET envia & en lugar de & (& codificado )
    ##################################################################
    if { [HTTP::uri] contains "&" } {
        # Crear variable para remplazar el & por el carácter real &        
        set cleaned_uri [string map {"&" "&"} [HTTP::uri]]
        # Remplazar el valor de HTTP::uri por la nueva cadena
        HTTP::uri $cleaned_uri
        log local0. "URI Cleaned - From: [HTTP::uri] | To: $cleaned_uri"
    }
 
}

when HTTP_RESPONSE {
    ##################################################################
    # Logging detallado de TODAS las respuestas
    ##################################################################
    log local0. "--------------------------------------------"
    log local0. "RESPONSE - Status: [HTTP::status]"
    log local0. "RESPONSE - Content-Type: [HTTP::header "Content-Type"]"
    
    # Loguear redirects 3xx
    if { [HTTP::status] >= 300 && [HTTP::status] < 400 } {
        if { [HTTP::header exists "Location"] } {
            log local0. "REDIRECT - Location: [HTTP::header "Location"]"
        }
    }
    
    # Loguear cookies
    if { [HTTP::header exists "Set-Cookie"] } {
        foreach cookie [HTTP::header values "Set-Cookie"] {
            log local0. "RESPONSE - Cookie: $cookie"
        }
    }
    
    ##################################################################
    # Remover headers que bloquean el embedding en APM
    ##################################################################
    if { [HTTP::header exists "X-Frame-Options"] } {
        set xfo_original [HTTP::header "X-Frame-Options"]
        HTTP::header remove "X-Frame-Options"
        log local0. "REMOVED - X-Frame-Options was: $xfo_original"
    }
    
    ##################################################################
    # Ajustar Content-Security-Policy
    ##################################################################
    if { [HTTP::header exists "Content-Security-Policy"] } {
        set csp [HTTP::header "Content-Security-Policy"]
        log local0. "CSP Original: $csp"
        
        # Si no tiene frame-ancestors, agregarlo
        if { ![string match "*frame-ancestors*" $csp] } {
            append csp "; frame-ancestors 'self' https://access.una.ac.cr"
        }
        
        HTTP::header replace "Content-Security-Policy" $csp
        log local0. "CSP Modified: $csp"
    }
    
    ##################################################################
    # Remover HSTS si causa problemas
    ##################################################################
    if { [HTTP::header exists "Strict-Transport-Security"] } {
        set hsts_original [HTTP::header "Strict-Transport-Security"]
        HTTP::header remove "Strict-Transport-Security"
        log local0. "REMOVED - HSTS was: $hsts_original"
    }
    
    log local0. "============================================"
}

when ACCESS_ACL_ALLOWED {
    ##################################################################
    # ITOP: Establecer sni_value = itop.una.ac.cr
    ##################################################################
    if { [HTTP::host] eq "itop.una.ac.cr" or [HTTP::path] starts_with "/itop" } {
        set sni_value [getfield [HTTP::host] ":" 1]
        log local0. "ACL_ALLOWED - SNI will be set to: $sni_value"
    }
  
}

when SERVERSSL_CLIENTHELLO_SEND {
    ##################################################################
    # Establecer uso de variable sni_value si existe en ACCESS_ACL_ALLOWED
    ##################################################################
    if { [info exists sni_value] } {
        SSL::extensions insert [binary format SSScSa* 0 [expr { [set sni_length [string length $sni_value]] + 5 }] [expr { $sni_length + 3 }] 0 $sni_length $sni_value]
        log local0. "SNI Extension Added: $sni_value"
    }
}