Forum Discussion

Bob_10976's avatar
Bob_10976
Icon for Nimbostratus rankNimbostratus
Sep 27, 2010

"Must be Unique" Error messag assigning iRule

Hello all,

 

 

Prior to this ASP.Net Vuln issue I had one iRule assigned to all my VIPs which was simply to reject Blank Headers, the code is below. Since then we added a simply redirect to our custom 404.aspx page when a response is 404 or 5*, the code is also below, I successfully assigned that rule to all VIPs. Finally today I created a new iRule that checks the query string and if there is a match it redirects to the new 404.aspx page, code is below. However this time when I attempt to assign I get an error message" "Must be Unique". I'm doing the assigning from the F5 iRule Editor, (ver-10.1.0). If I add the new iRule via the F5's GUI interface it adds with out issue. Through some troubleshooting I found that if I remove the ASP Vuln redirect rule I can add my new iRule without issue. I also looked into setting priorities for the Blank Header rule and my new iRule since both use HTTP_Request but that didn't seem to change anything.

 

 

I'm running version 10.2 on the BigIP. Anythoughts or suggestion on what I'm doing wrong or what I can do to make this work with out having to touch a 100 or so VIPs? I wouldn't even mind combining them all into one, but I'm not sure how to do that.

 

 

Name: QueryPram_Redirect

 


 when HTTP_REQUEST { 
   if {[HTTP::query] contains "aspxerrorpath="}{ 
      redirect to http://DomainName.com/404.aspx 
      }   
 }

 

 

Name: ASP_Vuln_Fix

 


when HTTP_RESPONSE { 
      if { ([HTTP::status] starts_with "404") || ([HTTP::status] starts_with "5")} { 
         redirect to "http://DomainName.com/404.aspx"
   }
 }

 

 

Name: BlockNoHeader

 

 
when HTTP_REQUEST { 
      if { [HTTP::host] equals "" }
          { reject 
   }
 }

 

 

Thanks,

 

Bob
application delivery
dev
devops
iRules

3 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Sep 28, 2010
    Hi Bob,

     

     

    The error is a result of a restriction enforced in iControl (which the iRuler uses to make changes) but not the GUI. The restriction prevents you from adding an iRule to a VS that already has one or more events of the same priority. This restriction within iControl has been in place going back as far as I know. Priority is used to determine the order of events in iRules being executed. Priorities can range from 1 to 1000 with lower numbers running before higher numbers. By default, if no priority is specified, the event (or all events in the iRule) have a priority of 500.

     

     

    For more info on priority, you can check the wiki page:

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/priority

     

     

    A simple fix for your situation might be to explicitly set the priority of the latest iRule to something other than 500. You should then be able to use the iRuler (or any other iControl app) to add the new iRule to existing virtual servers. Or you could use a command line utility like tmsh or bigpipe to add the iRule(s) to the existing virtual servers. You can check the bigpipe and/or tmsh guides for details.

     

     

    Aaron
  • Bob_10976's avatar
    Bob_10976
    Icon for Nimbostratus rankNimbostratus
    Sep 28, 2010
    Aaron,

     

     

    Thanks for the reply, however it seems even if I add a Priority to one or even all of them I still get the same error. I simply added priority 500, priority 600, and priority 700 to each Rule just after the "When HTTP_Request"

     

     

    Any other thoughts?

     

     

    Thanks,

     

    Bob

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Oct 01, 2010
    Hi Bob,

     

     

    I expected that adding an explicit, unique priority to each iRule would have worked. Can you provide sanitized examples of the existing iRules you have on the VS as well as the one you're trying to add?

     

     

    Thanks, Aaron