Nimbostratus
NimbostratusExcellent, that got me there, but with some caveats:
I needed to use the HTTP_RESPONSE_RELEASE event instead of HTTP_RESPONSE / HTTP_RESPONSE_DATA, because those are not triggered when the ASM decides to block a request - to quote iRules Event Order, "These events are triggered after the request has been sent to the server, the server has processed the request and the LTM receives a response from the server." If the ASM blocks the request, it's never sent to the server.
Fortunately I ran across SOL14211, "Using an iRule to parse post-ASM requests and responses (11.x)", which addressed this exact issue.
In the end, this is working for me:
when HTTP_REQUEST {
set asm_404_not_found 0
}
when ASM_REQUEST_BLOCKING {
set asm_info [ASM::violation_data]
Any response tweaking should only be done in blocking mode!!!
if {[string compare [ASM::status] "blocked"] == 0} {
if {[string first {VIOLATION_OBJ_DOESNT_EXIST} [lindex $asm_info 0]] != -1} {
set asm_404_not_found 1
}
}
}
when HTTP_RESPONSE_RELEASE {
if {$asm_404_not_found == 1} {
HTTP::respond 404 content "Not Found"
}
}
Now, as a caveat, I notice that according to HTTP_RESPONSE_RELEASE documentation, the HTTP::respond command is "disabled" in the HTTP_RESPONSE_RELEASE event... but that's not the behavior I'm seeing under 11.6.
Thanks for the answer!