Forum Discussion
If you remove some brackets and one of the "if"s it works. You can always test it by logging the output to /var/log/ltm, see below.
when HTTP_REQUEST {
if {[string tolower "[HTTP::host][HTTP::path]"] equals "example.domain.com/xyz/ab/"
or [string tolower "[HTTP::host][HTTP::path]"] equals "example.domain.com/xyz/ab"} {
log local0. "Rejected Connection [HTTP::host][HTTP::path], converted [string tolower [HTTP::host][HTTP::path]]"
reject
}
}
- Chris_Olson_172Dec 11, 2018Nimbostratus
Thank you so much. I will test. Sadly, we are in a managed environment and I have little access to my own F5's to test and I must rely on your expertise. Thanks again. I will report back on results.
- Chris_Olson_172Dec 21, 2018Nimbostratus
The rule took, but it's not working. I used both URLs specified but it is not being rejected. I can still hit the site. The logs do not show anything is happening. The only thing I can think of is that it is applied to the HTTPS VIP. However, when I try to change the rule to HTTPS I get an error.
[undefined procedure: HTTPS::host][HTTPS::host] /Common/url_reject_https:2: error: [undefined procedure: HTTPS::path][HTTPS::path]
Any ideas?
- gscholz_370150Dec 21, 2018Nimbostratus
Even if HTTPS is used the contents of the Rule don't change. It is still an HTTP request and not an HTTPS request. If you want to find out whether the iRule gets hit at all, you could add another logging line, like below. In that case you should see one entry for every HTTP request, and a second one for every rejected request.
when HTTP_REQUEST { log local0. "Requested connection [HTTP::host][HTTP::path], converted [string tolower [HTTP::host][HTTP::path]]" if {[string tolower "[HTTP::host][HTTP::path]"] equals "example.domain.com/xyz/ab/" or [string tolower "[HTTP::host][HTTP::path]"] equals "example.domain.com/xyz/ab"} { log local0. "Rejected Connection [HTTP::host][HTTP::path], converted [string tolower [HTTP::host][HTTP::path]]" reject } }
If you are unsure which virtual server gets hit you should be able to see that in a packet capture using tcpdump. Do you have shell access? (In theory packet capture is possible via the GUI as well, but I found it rather painful.)
- Chris_OlsonJan 07, 2019Nimbostratus
I am digging into this again. The only other anomaly is that the pool members listen on 8080 (webcache). I would not think that to be an issue since the F5 handles SSL and any initial connection so it should be rejected BEFORE it hit's the server. Any assistance in syntax for a packet capture would be appreciated. I can do the basics, like capturing based on source, destination or port, but not sure how to create a capture based on a URL.
- gscholz_370150Jan 08, 2019Nimbostratus
Just to make it easier for me to understand your setup so far: You have got one virtual server listening on port 443 with clientside SSL, and you have applied the iRule to this virtual server, right? Do you not see any log entries at all? It should get triggered for all incoming HTTP requests on that virtual server, so if there are no log entries at all I would guess the virtual server does not get hit by your tests.