Forum Discussion

Lopf's avatar
Lopf
Icon for Nimbostratus rankNimbostratus
Apr 23, 2019

iRule disable ASM and close TCP connection

I'm referring to example 1 on https://devcentral.f5.com/wiki/irules.asm__disable.ashx

This lets me disable ASM when a certain condition, e.g. a HTTP::path matches. But the documentation also states, that ASM is then disabled for the "duration of the TCP connection or until ASM::enable is called." The problem with the latter is, it doesn't allow me to use this in a generic iRule which is reusable among virtualservers with different policies.

Closing the TCP connection does not work as expected (hence its currently commented).

The iRule looks the following and sends Letsencrypt ACME challenge requests to a certain pool:

when HTTP_REQUEST { 
if { [HTTP::path] contains "/.well-known/acme-challenge/" } { 
    ASM::disable
    pool acme_pool
     TCP::close
    event disable all
  }
}

This iRule lets an attacker bypass ASM if he starts the first request to the known path. How can I make sure ASM is only disabled for the challenge requests but enabled for everything else without knowning the policy name?

ASM Advanced WAF
iRules
security

2 Replies

Sort By
  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Apr 23, 2019

    Hi,

     

    I strongly advise you to use the LTM policy function to disable asm for specific path. it's easier to use, more optimized and more secure. let me explain.

     

    Every request are evaluate unlike irule that manages access by connection (each request it's like a new connection):

     

    for more info:

     

    https://devcentral.f5.com/questions/advantages-of-local-traffic-policies-vs-irules

     

    So you can achieve your need using ltm POLICIES: Local Traffic ›› Policies : Policy List

     

    let me know if you need more details.

     

    regards,

     

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Apr 24, 2019

    Hi Lopf,

    But the documentation also states, that ASM is then disabled for the "duration of the TCP connection or until ASM::enable is called."

    You can pretty much ignore the (slightly outdated) documentation. The mentioned statement was true at the time HTTP-Class was used to assign ASM Policies.

    Since v11.4 LTM Policies are used to enable an assign a given ASM Policy. The LTM Policies are operating on a per-request level and therefor revert your 

    ASM::disable
    command and reselect the default ASM Policy on the very next request of the same underlying TCP connection.

    when HTTP_REQUEST { 
    if { [HTTP::path] contains "/.well-known/acme-challenge/" } { 
        ASM::disable
    } else {
         You don't have to care about re-enabling ASM. Your LTM Policy already did that...
    }
}

    Cheers, Kai