HTTP::header insert does not work in ASM_REQUEST_VIOLATION?

Question

Hi guys,&nbsp;
&nbsp;This is just in a test environment, and I don't want to open a case with F5.&nbsp;
&nbsp;We have BIG-IP 10.2.1 Build 296.0 Final and it may be limited to this release.&nbsp;
&nbsp;We have these irules&nbsp;
&nbsp;when ASM_REQUEST_VIOLATION {
&nbsp;    HTTP::header insert "X-CSRF-VIOLATION" "Smurf"
&nbsp;    log local0. "ASM_REQUEST_VIOLATION on [HTTP::uri]"
&nbsp;    log local0. "Header value is [HTTP::header X-CSRF-VIOLATION]"
&nbsp;}&nbsp;
&nbsp;when HTTP_RESPONSE {
&nbsp;    log local0. "Header value is [HTTP::header X-CSRF-VIOLATION]"
&nbsp;}&nbsp;
&nbsp;and the syslogs are&nbsp;&nbsp;Jan 25 15:27:07 local/tmm info tmm[4918]: Rule ir_test_CSRF &lt; ASM_REQUEST_VIOLATION &gt;: ASM_REQUEST_VIOLATION on /portal/contactblock.asp?module=pcbbinfo
&nbsp;Jan 25 15:27:07 local/tmm info tmm[4918]: Rule ir_test_CSRF &lt; ASM_REQUEST_VIOLATION &gt;: Header value is Smurf
&nbsp;Jan 25 15:27:07 local/tmm info tmm[4918]: Rule ir_test_CSRF &lt; HTTP_RESPONSE &gt;: Header value is&nbsp;&nbsp;It appears that the new header is not inserted (and it is not seen in the browser either).&nbsp;
&nbsp;So it looks like the "HTTP::header insert" in ASM_REQUEST_VIOLATION does not "stick"?&nbsp;
&nbsp;Arthur&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;

hooleylist · Answer

Hi Arthur, 
  
 ASM_REQUEST_VIOLATION is triggered when ASM validates the request.  If you insert a header in that event it will be done in the request proxied to the server.  The server wouldn't include the header in its response so you wouldn't see the header in HTTP_RESPONSE. 
  
 If you want the header inserted in the response so the client sees it, can you try this?  If you want to save the output from a command in ASM_REQUEST_VIOLATION, you could do that too and reference it in HTTP_RESPONSE.

when HTTP_REQUEST {
set insert_header 0
}
when ASM_REQUEST_VIOLATION {
set insert_header 1
}
when HTTP_RESPONSE {
if {$insert_header}{
HTTP::header insert "X-CSRF-VIOLATION" "Smurf"
log local0. "ASM_REQUEST_VIOLATION on [HTTP::uri]"
log local0. "Header value is [HTTP::header X-CSRF-VIOLATION]"
}
}

Or if the check / full policy is in blocking mode, you'd use ASM_REQUEST_BLOCKING: 
 http://devcentral.f5.com/wiki/iRules.asm.ashx 
  
 Aaron

arthur_7109 · Answer

Thanks Aaron, of course :-) that make sense. 
&nbsp;  
&nbsp; It's working OK now (I had to move log local0. "ASM_REQUEST_VIOLATION on [HTTP::uri]" as HTTP::uri is not available in HTTP_RESPONSE). 
&nbsp;  
&nbsp; Arthur

hooleylist · Answer

Yeah, [HTTP::uri] isn't saved automatically after the request is sent to the pool.  If you did want to log the value in HTTP_RESPONSE, you could save the value to a variable in HTTP_REQUEST. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

HTTP::header insert does not work in ASM_REQUEST_VIOLATION?

3 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

HTTP Header insert

APM AdAuth HTTP Header Insert iRule Switch Statement

Re: F5 XC Distributed Cloud HTTP Header manipulations and matching of the client ip/user HTTP header

Log Http Headers

Inserting a http header on the response to the client