{"id":22676,"date":"2026-01-20T11:56:48","date_gmt":"2026-01-20T17:56:48","guid":{"rendered":"https:\/\/sada.services\/?p=22676"},"modified":"2026-01-20T16:57:17","modified_gmt":"2026-01-20T22:57:17","slug":"itop","status":"publish","type":"post","link":"https:\/\/sada.services\/?p=22676","title":{"rendered":"Itop"},"content":{"rendered":"\n

iRules -> Content_segurity_policy_AGD<\/strong><\/p>\n\n\n\n

Original<\/p>\n\n\n\n

when HTTP_REQUEST {\n    #para agd\n    if { [HTTP::host] eq \"agd.una.ac.cr\" } {\n        HTTP::redirect \"https:\/\/access.una.ac.cr[HTTP::uri]\"\n    }\n}\n\nwhen HTTP_RESPONSE {\n    #para agd\n    HTTP::header replace \"Content-Security-Policy\" \"default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; ; connect-src 'self' https:\/\/access.una.ac.cr;\"\n    \n}\n\nwhen ACCESS_ACL_ALLOWED {\n    #para itop\n    #Set the SNI value (e.g. HTTP::host)\n    set sni_value [getfield [HTTP::host] \":\" 1]\n}\n\nwhen SERVERSSL_CLIENTHELLO_SEND {\n    #para ITOP\n    # SNI extension record as defined in RFC 3546\/3.1\n    #\n    # - TLS Extension Type                =  int16( 0 = SNI ) \n    # - TLS Extension Length              =  int16( $sni_length + 5 byte )\n    #    - SNI Record Length              =  int16( $sni_length + 3 byte)\n    #       - SNI Record Type             =   int8( 0 = HOST )\n    #          - SNI Record Value Length  =  int16( $sni_length )\n    #          - SNI Record Value         =    str( $sni_value )\n    #\n    \n    # Calculate the length of the SNI value, Compute the SNI Record \/ TLS extension fields and add the result to the SERVERSSL_CLIENTHELLO \n    SSL::extensions insert [binary format SSScSa* 0 [expr { [set sni_length [string length $sni_value]] + 5 }] [expr { $sni_length + 3 }] 0 $sni_length $sni_value]\n}<\/code><\/pre>\n\n\n\n
    \n
  • prueba1<\/li>\n<\/ul>\n\n\n\n
    when HTTP_REQUEST {\n    #para agd\n    if { [HTTP::host] eq \"agd.una.ac.cr\" } {\n        HTTP::redirect \"https:\/\/access.una.ac.cr[HTTP::uri]\"\n    }\n    \n\n    \n    # Marcar si es una petici\u00f3n a Itop\n    #if { [HTTP::host] eq \"itop.una.ac.cr\" or [HTTP::path] starts_with \"\/itop\" } {\n     #   set is_itop 1\n     #   log local0.\"[HTTP::host]\"\n    #} else {\n    #    set is_itop 0\n    #}\n    \n}\n\nwhen HTTP_RESPONSE {\n    #para agd\n    HTTP::header replace \"Content-Security-Policy\" \"default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; ; connect-src 'self' https:\/\/access.una.ac.cr;\"\n    \n}\n\nwhen ACCESS_ACL_ALLOWED {\n\n    #log local0.\"[HTTP::host]\"\n    if { [HTTP::host] eq \"itop.una.ac.cr\" or [HTTP::path] starts_with \"\/itop\" } {\n        set sni_value [getfield [HTTP::host] \":\" 1]\n        log local0.\"[HTTP::host]\"\n    }\n  \n    # Solo para Itop\n    #if { [info exists is_itop] and $is_itop == 1 } {\n     #   set sni_value [getfield [HTTP::host] \":\" 1]\n    #}\n}\n\nwhen SERVERSSL_CLIENTHELLO_SEND {\n    #para ITOP\n    # SNI extension record as defined in RFC 3546\/3.1\n    #\n    # - TLS Extension Type                =  int16( 0 = SNI ) \n    # - TLS Extension Length              =  int16( $sni_length + 5 byte )\n    #    - SNI Record Length              =  int16( $sni_length + 3 byte)\n    #       - SNI Record Type             =   int8( 0 = HOST )\n    #          - SNI Record Value Length  =  int16( $sni_length )\n    #          - SNI Record Value         =    str( $sni_value )\n    #\n    \n    # Calculate the length of the SNI value, Compute the SNI Record \/ TLS extension fields and add the result to the SERVERSSL_CLIENTHELLO \n    if { [info exists sni_value] } {\n        SSL::extensions insert [binary format SSScSa* 0 [expr { [set sni_length [string length $sni_value]] + 5 }] [expr { $sni_length + 3 }] 0 $sni_length $sni_value]\n    }\n}<\/code><\/pre>\n\n\n\n
      \n
    • Sirviendo para itop<\/li>\n<\/ul>\n\n\n\n
      when HTTP_REQUEST {\n    #para agd\n    if { [HTTP::host] eq \"agd.una.ac.cr\" } {\n        HTTP::redirect \"https:\/\/access.una.ac.cr[HTTP::uri]\"\n    }\n    \n\n    ##################################################################\n    # ITOP: Solicitudes GET envia &amp; en lugar de & (& codificado )\n    ##################################################################\n    if { [HTTP::uri] contains \"&amp;\" } {\n\n        # Crear variable para remplazar el &amp; por el car\u00e1cter real &        \n        set cleaned_uri [string map {\"&amp;\" \"&\"} [HTTP::uri]]\n\n        # Remplzar el valor de HTTP::uri por la nueva cadena\n        HTTP::uri $cleaned_uri\n    }\n \n}\n\nwhen HTTP_RESPONSE {\n\n    #para agd\n    #HTTP::header replace \"Content-Security-Policy\" \"default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; ; connect-src 'self' https:\/\/access.una.ac.cr;\"\n    \n    # Remover headers que bloquean el embedding en APM\n    if { [HTTP::header exists \"X-Frame-Options\"] } {\n        HTTP::header remove \"X-Frame-Options\"\n\n    }\n    \n\n}\n\nwhen ACCESS_ACL_ALLOWED {\n\n    ##################################################################\n    # ITOP: Establecer sni_value = itop.una.ac.cr\n    ##################################################################\n    if { [HTTP::host] eq \"itop.una.ac.cr\" or [HTTP::path] starts_with \"\/itop\" } {\n        set sni_value [getfield [HTTP::host] \":\" 1]\n    }\n  \n\n}\n\nwhen SERVERSSL_CLIENTHELLO_SEND {\n\n\n    #para ITOP\n    # SNI extension record as defined in RFC 3546\/3.1\n    #\n    # - TLS Extension Type                =  int16( 0 = SNI ) \n    # - TLS Extension Length              =  int16( $sni_length + 5 byte )\n    #    - SNI Record Length              =  int16( $sni_length + 3 byte)\n    #       - SNI Record Type             =   int8( 0 = HOST )\n    #          - SNI Record Value Length  =  int16( $sni_length )\n    #          - SNI Record Value         =    str( $sni_value )\n    #\n    \n    # Calculate the length of the SNI value, Compute the SNI Record \/ TLS extension fields and add the result to the SERVERSSL_CLIENTHELLO \n    \n    ##################################################################\n    # Establecer uso de variable sni_value si existe en ACCESS_ACL_ALLOWED\n    ##################################################################\n    if { [info exists sni_value] } {\n        SSL::extensions insert [binary format SSScSa* 0 [expr { [set sni_length [string length $sni_value]] + 5 }] [expr { $sni_length + 3 }] 0 $sni_length $sni_value]\n    }\n}<\/code><\/pre>\n\n\n\n
        \n
      • para depurar sigesa<\/li>\n<\/ul>\n\n\n\n
        when HTTP_REQUEST {\n    #para agd\n    if { [HTTP::host] eq \"agd.una.ac.cr\" } {\n        HTTP::redirect \"https:\/\/access.una.ac.cr[HTTP::uri]\"\n    }\n    \n    ##################################################################\n    # Logging detallado para todas las requests\n    ##################################################################\n    log local0. \"============================================\"\n    log local0. \"REQUEST - Host: [HTTP::host]\"\n    log local0. \"REQUEST - Path: [HTTP::path]\"\n    log local0. \"REQUEST - URI: [HTTP::uri]\"\n    log local0. \"REQUEST - Method: [HTTP::method]\"\n    log local0. \"REQUEST - Client: [IP::client_addr]\"\n    if { [HTTP::header exists \"Referer\"] } {\n        log local0. \"REQUEST - Referer: [HTTP::header \"Referer\"]\"\n    }\n    \n    ##################################################################\n    # ITOP: Solicitudes GET envia &amp; en lugar de & (& codificado )\n    ##################################################################\n    if { [HTTP::uri] contains \"&amp;\" } {\n        # Crear variable para remplazar el &amp; por el car\u00e1cter real &        \n        set cleaned_uri [string map {\"&amp;\" \"&\"} [HTTP::uri]]\n        # Remplazar el valor de HTTP::uri por la nueva cadena\n        HTTP::uri $cleaned_uri\n        log local0. \"URI Cleaned - From: [HTTP::uri] | To: $cleaned_uri\"\n    }\n \n}\n\nwhen HTTP_RESPONSE {\n    ##################################################################\n    # Logging detallado de TODAS las respuestas\n    ##################################################################\n    log local0. \"--------------------------------------------\"\n    log local0. \"RESPONSE - Status: [HTTP::status]\"\n    log local0. \"RESPONSE - Content-Type: [HTTP::header \"Content-Type\"]\"\n    \n    # Loguear redirects 3xx\n    if { [HTTP::status] >= 300 && [HTTP::status] < 400 } {\n        if { [HTTP::header exists \"Location\"] } {\n            log local0. \"REDIRECT - Location: [HTTP::header \"Location\"]\"\n        }\n    }\n    \n    # Loguear cookies\n    if { [HTTP::header exists \"Set-Cookie\"] } {\n        foreach cookie [HTTP::header values \"Set-Cookie\"] {\n            log local0. \"RESPONSE - Cookie: $cookie\"\n        }\n    }\n    \n    ##################################################################\n    # Remover headers que bloquean el embedding en APM\n    ##################################################################\n    if { [HTTP::header exists \"X-Frame-Options\"] } {\n        set xfo_original [HTTP::header \"X-Frame-Options\"]\n        HTTP::header remove \"X-Frame-Options\"\n        log local0. \"REMOVED - X-Frame-Options was: $xfo_original\"\n    }\n    \n    ##################################################################\n    # Ajustar Content-Security-Policy\n    ##################################################################\n    if { [HTTP::header exists \"Content-Security-Policy\"] } {\n        set csp [HTTP::header \"Content-Security-Policy\"]\n        log local0. \"CSP Original: $csp\"\n        \n        # Si no tiene frame-ancestors, agregarlo\n        if { ![string match \"*frame-ancestors*\" $csp] } {\n            append csp \"; frame-ancestors 'self' https:\/\/access.una.ac.cr\"\n        }\n        \n        HTTP::header replace \"Content-Security-Policy\" $csp\n        log local0. \"CSP Modified: $csp\"\n    }\n    \n    ##################################################################\n    # Remover HSTS si causa problemas\n    ##################################################################\n    if { [HTTP::header exists \"Strict-Transport-Security\"] } {\n        set hsts_original [HTTP::header \"Strict-Transport-Security\"]\n        HTTP::header remove \"Strict-Transport-Security\"\n        log local0. \"REMOVED - HSTS was: $hsts_original\"\n    }\n    \n    log local0. \"============================================\"\n}\n\nwhen ACCESS_ACL_ALLOWED {\n    ##################################################################\n    # ITOP: Establecer sni_value = itop.una.ac.cr\n    ##################################################################\n    if { [HTTP::host] eq \"itop.una.ac.cr\" or [HTTP::path] starts_with \"\/itop\" } {\n        set sni_value [getfield [HTTP::host] \":\" 1]\n        log local0. \"ACL_ALLOWED - SNI will be set to: $sni_value\"\n    }\n  \n}\n\nwhen SERVERSSL_CLIENTHELLO_SEND {\n    ##################################################################\n    # Establecer uso de variable sni_value si existe en ACCESS_ACL_ALLOWED\n    ##################################################################\n    if { [info exists sni_value] } {\n        SSL::extensions insert [binary format SSScSa* 0 [expr { [set sni_length [string length $sni_value]] + 5 }] [expr { $sni_length + 3 }] 0 $sni_length $sni_value]\n        log local0. \"SNI Extension Added: $sni_value\"\n    }\n}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
        iRules -> Content_segurity_policy_AGD Original<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-22676","post","type-post","status-publish","format-standard","hentry","category-sin-categoria"],"blocksy_meta":[],"_links":{"self":[{"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts\/22676","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=22676"}],"version-history":[{"count":4,"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts\/22676\/revisions"}],"predecessor-version":[{"id":22680,"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts\/22676\/revisions\/22680"}],"wp:attachment":[{"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=22676"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=22676"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=22676"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}