First, the error should only be manifesting when the client source doesn't match your whitelist data group, where you subsequently send a 503. In the order that you have your iRules applied to the VIP (assuming new one on top), you're potentially sending a 503 response (an egress mechanism) BEFORE attempting to add a header to the ingress stream. You should be able to solve this two ways:
-
Re-order the iRules in your VIP configuration, or
-
Apply priority tags to the HTTP_REQUEST events to force a specific order, like this:
when HTTP_REQUEST priority 50 {
if { [HTTP::header exists X-Forwarded-For] } {
HTTP::header replace X-Forwarded-For [substr [IP::client_addr] 0 "%"]
} else {
HTTP::header insert X-Forwarded-For [substr [IP::client_addr] 0 "%"]
}
}
when HTTP_REQUEST priority 100 {
if { ( [class match [IP::client_addr] equals whitelist] ) } {
pool Pool_1
} else {
HTTP::respond 503 content [b64decode [class element -name 0 DG_MAINTENANCE_HTML]] "Content-Type" "text/html"
}
}