iRule disable ASM and close TCP connection
I'm referring to example 1 on https://devcentral.f5.com/wiki/irules.asm__disable.ashx
This lets me disable ASM when a certain condition, e.g. a HTTP::path matches. But the documentation also states, that ASM is then disabled for the "duration of the TCP connection or until ASM::enable is called." The problem with the latter is, it doesn't allow me to use this in a generic iRule which is reusable among virtualservers with different policies.
Closing the TCP connection does not work as expected (hence its currently commented).
The iRule looks the following and sends Letsencrypt ACME challenge requests to a certain pool:
when HTTP_REQUEST {
if { [HTTP::path] contains "/.well-known/acme-challenge/" } {
ASM::disable
pool acme_pool
TCP::close
event disable all
}
}
This iRule lets an attacker bypass ASM if he starts the first request to the known path. How can I make sure ASM is only disabled for the challenge requests but enabled for everything else without knowning the policy name?