Forum Discussion

sharpie_79656's avatar
sharpie_79656
Icon for Nimbostratus rankNimbostratus
Mar 26, 2015

HTTP Policy

Hello,

I am attempting to write an HTTP Policy that validate several aspects (HOST HEADER & URI) of a request before forwarding on to the default pool. When I had single values the policy was working great, now that I've add multiple values I no longer get the desired outcome. When I the apply URI check it begins to RESET all traffic. The check of /status and the HOST HEADER work without issue.

Thanks!

ltm policy /QA/API_SERVICES {
    controls { forwarding }
    requires { http }
    rules {
        ALLOWED_SERVICES {
            actions {
                0 {
                    log
                    write
                    message "DENIED ACCESS TO WEB SERVICE"
                }
                1 {
                    forward
                    reset
                }
            }
            conditions {
                0 {
                    http-uri
                    path
                    not
                    contains
                    values { /favorites/ /users/ } //ONLY PERMIT IF URI CONTAINS ONE OF THESE VALUES
                }
            }
            ordinal 3
        }
        DROP_STATUS_PAGES {
            actions {
                0 {
                    log
                    write
                    message "DENIED ACCESS TO STATUS PAGE"
                }
                1 {
                    forward
                    reset
                }
            }
            conditions {
                0 {
                    http-uri
                    path
                    ends-with
                    values { /status } //BLOCK ACCESS TO STATUS PAGES
                }
            }
            ordinal 2
        }
        HOST_HEADER {
            actions {
                0 {
                    log
                    write
                    message "INCORRECT HOST HEADER"
                }
                1 {
                    forward
                    reset
                }
            }
            conditions {
                0 {
                    http-host
                    host
                    not
                    values { service1.domain1.ca service2.domain1.ca } //DOES THE HOST HEADER CONTAIN EITHER OF THESE VALUES 
                }
            }
            ordinal 1
        }
    }
    strategy /Common/first-match
}

1 Reply

  • so it is the first rule (ALLOWED_SERVICES) that fails? can you give examples which fail? because I see an odd "not" there. also the reset makes sense as it is also there.