Forum Discussion

khurram_CISSP_C's avatar
khurram_CISSP_C
Icon for Nimbostratus rankNimbostratus
Dec 07, 2017

HTTP::Respond not working with reject

Guys I have exhausted all options and done all hit and trial but could not make it work so coming to you guys I have an irule that triggers when a HTTP Request comes in the form of xml packet. I am using data group for accept/reject decision. The issue is: 1. If i use "reject" in HTTP_RESPONSE with a F5 http response html splash page, it sends the message to the browser saying "the transaction has been denied" to end user but as the "reject" is used in the HTTP_RESPONSE event, the transaction still goes through via "HTTP_REQUEST_DATA" so clearly not what i want to achieve. 2. If i use "reject" in HTTP_REQUEST_DATA, the transaction is denied as expected but the splash page didnt work. I have tried to use "drop", "discard", "HTTP_CLOSE" but nothing works.

 

Hoping for some expert advise here... IRULE below..

 

3 Replies

  • The specific irule parts are below when RULE_INIT {

    Log debug to /var/log/ltm? 1=yes, 0=no
    set static::debug 0
    

    } when HTTP_REQUEST { Collect up to the first 1MB of POST data log local0. "Checking post method [HTTP::method] uri: [HTTP::uri] http_version: [HTTP::version] IP: [IP::client_addr]" log local0. "Headers: [HTTP::request]" if {[HTTP::method] eq "POST"} {

         Check if there is a content-length header and the value is set to less than 1Mb
        if {[HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] <= 10048576}
        {
            set clength [HTTP::header "Content-Length"]
        } else 
        {
            set clength 10048576
        }
        log local0. "Checking content length $clength IP: [IP::client_addr]"
        if { $clength > 0} 
        {
            if {$static::debug}{log local0. "[virtual name]: Collecting $clength bytes IP: [IP::client_addr]"}
            HTTP::collect [HTTP::header "Content-Length"]
        }
    }
    

    } when HTTP_REQUEST_DATA {

    incoming data

    log local0. "$[HTTP::payload]" set vendoridincoming [findstr [HTTP::payload] "BuyerCookie" 12 100] log local0. "Vendorid from live incoming request is $vendoridincoming"

    Save a class name to search through

    set class_name Vendorlist log local0. "$class_name" set success 0

    Save a search ID for the datagroup

    set id [class startsearch $class_name] log local0. "$id" set vendorlistsize 0 log local0. "$vendorlistsize"

    Loop through the class row by row

    while {[class anymore $class_name $id]} { set element [class nextelement $class_name $id] log local0. "[class nextelement $class_name $id]: $element" set vendorid [class element -name $vendorlistsize $class_name] set vendorsharedsecret [class element -value $vendorlistsize $class_name] log local0. "vendorid at position $vendorlistsize is $vendorid" log local0. "vendorsharedsecret at position $vendorlistsize is $vendorsharedsecret" if {$vendoridincoming contains $vendorid} { log local0. "Incoming Vendor id matched with $vendorid" if {[HTTP::payload] contains $vendorsharedsecret} { log local0. "Incoming Vendor Shared Secret matched with $vendorsharedsecret" set success 1 break } } incr vendorlistsize unset vendorid unset vendorsharedsecret }

    Clean up the search

    class donesearch $class_name $id if {$success==1} { reject HTTP::respond 200 content { Access Denied You have attempted an authorised access to this site

    Your attempt has been logged and may be prosecuted. } } } when HTTP_RESPONSE { log local0. "In http response" log local0. "succes at start of http response is $success" if {$success == 1}{ log local0. "Vendor matched" log local0. "succes at if success is $success" } else { log local0. "Vendor Shared Secret not matched" log local0. "succes at else failure response is $success" HTTP::respond 200 content { Access Denied You have attempted an authorised access to this site

    Your attempt has been logged and may be prosecuted. } reject } }
  • As you can see above, i have used reject in both "HTTP_REQUEST_DATA" and "HTTP_RESPONSE. what this does right now is:

     

    1. Reject the transaction as expected (from the reject in HTTP_REQUEST_DATA)
    2. will not display the splash page from HTTP_REQUEST_DATA
    3. will terminate the irule and not even go into HTTP_RESPONSE event so the splash page is never sent back

    So the logical outcome works, the cosmetics around sending a splash page for user experience didnnt