Forum Discussion

mark_beynon_593's avatar
mark_beynon_593
Icon for Nimbostratus rankNimbostratus
Apr 16, 2008

More efficient stream iRule

I am very new to iRules, so be patient but have an interesting problem to overcome.

 

 

Note all access is via HTTPS:

 

 

requirement: remove external access to robots.txt file and an admin page that can not be restricted on the server it self.

 

 

our original solution:

 

use an iRule with a HTTP Profile to redirect the request to an error page when "robots.txt" or "admin" is found in the URI.

 

 

This worked fine, apart from it broke some of the extended capability of the website:- The website also offers tunneled TS an Citrix through a client side applet.

 

 

With HTTP profile applied the tunneled TS/Citrix are not understood and no longer work.

 

 

Revised solution:

 

Use a Stream to replace "robots.txt" and "admin" in the content with "error". The replacement term error would cause an unknown URL, and the server would redirect to the front page.

 

 

This works fine.

 

 

But i am sure there will be some clever ways of doing this with an iRule? such as only checking requests

 

 

any suggestions for how to do this?

 

 

Thanks

5 Replies

  • close, but fundamentally different. that post dynamically creates a robot.txt file. I am trying to disable robots.txt file, and block a url. Also the use of the HTTP profile would break my apps, hence the posts can not be considered together.

     

     

    Thanks for your suggestion though!
  • Hi.

    You are right. HTTP Profile would break Citrix.

    Who is terminating the SSL connection? Are you using SSL Offload?

    I guess you could create an iRule to search for robots.txt inside the payload. If robots.txt is inside the payload you can drop the request.

    This solution will not require HTTP Profile but be careful about CPU overhead.

    I didn't test this iRule.

    
    when CLIENT_ACCEPTED {
      TCP::collect
    }
    when CLIENT_DATA {
      if { [TCP::payload] contains "robots.txt" } {
         Close TCP Conn
        TCP::close
      }
      TCP::release
      TCP::collect
    }

    Good luck!
  • Thanks for your suggestion Esaito, i will have a play with this.

     

     

    it is an SSL VPN appliance/reverse proxy cluster behind the F5's. The F5's terminate the SSL connection from the clients and present the clients a certificate. They then act as an SSL client to the appliances for load balancing, hence the Virtual server has both SSL server and client profiles.

     

     

    Thanks again!
  • bl0ndie_127134's avatar
    bl0ndie_127134
    Historic F5 Account
    If you can detect the tunneled connections (via uri or port etc.), you can disable the HTTP profile dynamically using the HTTP::disable command.