Forum Discussion

Arthur_7109's avatar
Arthur_7109
Icon for Nimbostratus rankNimbostratus
Feb 10, 2014

V11.4 replacement for HTTP::class select ?

Hi,

We have a 10.2 LTM + ASM, and need to block some requests based on the URI, with an iRule like

when HTTP_REQUEST {
   if { [HTTP::uri] starts_with "/xxx" } {  
      if { !([HTTP::uri] starts_with "/xxx123") } {            
         log local0. "Suspect URI [HTTP::uri]"
         HTTP::class select "cl_GENERIC_block_all"
      }
   }
}

So "/xxx123" is allowed, while all other "/xxx*" are blocked.

The ASM security policy for cl_GENERIC_block_all blocks all requests.

We do it this way in order to use an existing ASM remote logging profile that logs all requests, now including the above blocked ones.

This works OK, but with HTTP::class being replaced by POLICY::??? in version 11.4, the rule will no longer work.

Is there an equivalent of "HTTP::class select" in v11.4?

There is no POLICY::select (yet?).

3 Replies

  • it seems cpm also has asm policy in its action.

    e.g.

    root@(ve11-8)(cfg-sync In Sync)(Active)(/Common)(tmos) modify ltm policy cpm1 rules add { asmrule1 { actions add { 0 { asm enable policy ?
    This action will use this policy.
    
  • Have you looked at Local Traffic policy to determine if you can just use that and get rid of this iRule completely? You have the ability in LT policy to pull traffic one way or the other with it and it is a lot more flexible than HTTP Classes were.

    Here is an iRule that I had that contains some HTTP Class Events and actions that I moved over to 11.4.1

    when CLIENT_ACCEPTED {
          set retries 0
       }
    
    when HTTP_CLASS_SELECTED {
    
        if {[HTTP::class] eq "/Common/hqdesktop-securera-8000_class"}{
    
      set backup_pool PHX-hqdesktop-8000.edwardjones.com_pool
                 }
    
     if {[HTTP::class] eq "/Common/desktop-securera-8000_class"}{
    
      set backup_pool PHX-desktop-8000.edwardjones.com_pool 
    
           } 
    
     }
    
       when LB_FAILED {
          if { $retries < [active_members $backup_pool] } {
             LB::mode rr
             LB::reselect pool $backup_pool
             incr retries
          }
       }
    
    
    
    
    when CLIENT_ACCEPTED {
          set retries 0
       }
    
    when HTTP_REQUEST {
    
        set policy [POLICY::names matched]
    
        if {[POLICY::rules matched $policy] eq "hqdesktop-securera-8000_class_policy_rule"}{
    
      set backup_pool PHX-hqdesktop-8000.edwardjones.com_pool
                 }
    
     if {[POLICY::rules matched $policy] eq "desktop-securera-8000_class_policy_rule"} {
    
      set backup_pool PHX-desktop-8000.edwardjones.com_pool 
    
           } 
    
     }
    
       when LB_FAILED {
          if { $retries < [active_members $backup_pool] } {
             LB::reselect pool $backup_pool
             incr retries
          }
       }
    

    If you find you need to keep the iRule then hopefully this helps spurs some thoughts on how to re work your iRule