Forum Discussion

Jay_Henriques_1's avatar
Jay_Henriques_1
Icon for Nimbostratus rankNimbostratus
Feb 11, 2010

Multiple redirect/respond invocations not allowed

I've been seeing these errors in our ltm log:

 

Rule LockdownExternalAccessToDIsney HTTP_REQUEST: blocked request for /en/tools/players/edit_player.php?player_id=78745123 by 112.205.165.29

 

Thu Feb 11 04:15:28 PST 2010 tmm tmm[1904] 01220001 TCL error: irule-DOSC_HTTP_REDIRECT_HTTPS HTTP_REQUEST - Operation not supported. Multiple redirect/respond invocations not allowed line 562 invoked from within HTTP::respond 301 Location https://[HTTP::host][HTTP::uri]

 

 

 

These 2 rules are applied to the same Virtual Server:

 

rule LockdownExternalAccessToDIsney {

 

when HTTP_REQUEST {

 

if { (not [ matchclass [ IP::client_addr] equals ::Disney_Public_Source_Addresses] ) } {

 

log "blocked request for [HTTP::uri] by [IP::client_addr]"

 

HTTP::respond 403

 

return

 

}

 

}

 

}

 

 

rule irule-DOSC_HTTP_REDIRECT_HTTPS {

 

when HTTP_REQUEST {

 

 

HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"

 

 

}

 

}

 

 

My question is what is the preferred method for exiting out of an iRule and stop evaluating the rest of the iRules applied to the virtual server? I've seen reference to "return 0" in a different post but haven't been able to find anything definitive.

 

 

Thanks,

 

Jay
application delivery
dev
devops
iRules

4 Replies

Sort By
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Feb 11, 2010
    Hi Jay,

     

    I have never tried this but take a look at the wiki command to disable events

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/event.html

     

     

    Here is a more detailed article surrounding this

     

    http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=236

     

     

    I hope this helps

     

    Bhattman

     

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Feb 12, 2010
    The downside to disabling the HTTP_REQUEST event is that the iRule event would no longer trigger for the duration of the TCP connection. As both rules are related, it would be better to combine them.

    Do you want to block all requests from clients not in the datagroup and redirect all others to https? If so, here is an example: 

       
   when HTTP_REQUEST {   
      
      if { not [ matchclass [ IP::client_addr] equals Disney_Public_Source_Addresses ) } {   
         log local0. "blocked request for [HTTP::uri] by [IP::client_addr]"   
         HTTP::respond 403   
      } else {   
         HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"   
      }   
   }

    If you want to keep the two rules separate, you could use a local variable to track whether a prior iRule has already issued a redirect: 

     
  rule 1 
 when HTTP_REQUEST { 
     Check if a redirect has not already been issued 
    if {not ([info exists redirected] and $redirected==1)}{ 
  
        Check if we want to send a redirect 
       if { $some_logic==1}{ 
  
           Send a redirect 
          HTTP::redirect "https://[HTTP::host][HTTP::uri]" 
  
           Track that a redirect has been sent 
          set redirected 1 
       } 
    } 
 } 
 

     
  rule 2 
 when HTTP_REQUEST { 
  
     Check if a redirect has not already been issued 
    if {not ([info exists redirected] and $redirected==1)}{ 
  
       if { $some_other_logic==1}{ 
  
           Send a redirect 
          HTTP::respond 403 
  
           Track that a redirect has been sent 
          set redirected 1 
       } 
    } 
 }

    Aaron
  • Albert_Aguinaga's avatar
    Albert_Aguinaga
    Icon for Nimbostratus rankNimbostratus
    Sep 20, 2012

    Hi - I keep getting the following error message on my iRule:

     

    Sep 9 07:09:42 local/tmm err tmm[5253]: 01220001:3: TCL error: ir_final_maintpage - Operation not supported. Multiple redirect/respond invocations not allowed (line 12) invoked from within "HTTP::respond 503 content "Hanley Wood, LLC - Maintenance Page

     

    I've been told to add the TCP::close option. I believe this may fix my issue with the iRule but here is my question (2 really):

     

    1. If I add the TCP::close option, will it essentially terminate ALL iRule calls after it executes this? Meaning, does this TCP::close option only deal with this particular iRule? I have several virtual servers that have multiple iRules and I'm concerned that adding this TCP::close option will make all other iRules not work.

     

    2. Where should I add TCP::close? At the very end?

     

    Thanks so much in advance.

     

    -Albert.