Forum Discussion

amolari's avatar
amolari
Icon for Cirrus rankCirrus
Jan 29, 2015

asm 11.5.1 iRule - customized response page per webapp

I have following iRule

when RULE_INIT {
  set asm_redirect 0
}


when ASM_REQUEST_DONE { 
  set asm_redirect 0
  if { [HTTP::uri] starts_with "/abcweb" } { 
    if { not ([ASM::status] equals "clear") } { 
        log local0. "abcweb - URI - [HTTP::uri]" 
        log local0. "abcweb - ASM_STATUS: [ASM::status]" 
        if { [virtual] ends_with "_https" } { 
          set protocol "https" 
        } else { 
          set protocol "http" 
        } 
        log local0. "abcweb - virtual = [virtual]" 
        log local0. "abcweb - policy active - [POLICY::names active]" 
        set asm_redirect 1
        set asm_support_id [ASM::support_id] 
        set host [HTTP::host] 
        set path [URI::path [HTTP::uri] 1 1] 
    } 
  } 
} 

when HTTP_RESPONSE_RELEASE { 
    if { $asm_redirect equals 1 } { 
        HTTP::respond 302 Location "${protocol}://${host}${path}error?supportid=$asm_support_id" 
        log local0. "abcweb - redirection - ${protocol}://${host}${path}error?supportid=$asm_support_id" 
        set asm_redirect 0 
    } 
}

Producing (troubleshooting) logs with expected results:

tmm[15434]: Rule /Common/irule_i_abc_basic : abcweb - URI - /abcweb/api/search
tmm[15434]: Rule /Common/irule_i_abc_basic : abcweb - ASM_STATUS: alarmed
tmm[15434]: Rule /Common/irule_i_abc_basic : abcweb - virtual = /Common/virtual_abc-dev.company.com_http
tmm[15434]: Rule /Common/irule_i_abc_basic : abcweb - policy active - /Common/asm_i_abc
tmm[15434]: Rule /Common/irule_i_abc_basic : abcweb - redirection - http://abc-dev.company.com/abcweb/error?supportid=3147450500928828533

But the client doesn't receive the 302. What is wrong in the irule logic here?

Thanks

Alex

4 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    Alex,

    HTTP::respond command isn't allowed for HTTP_RESPONSE_RELEASE event. See HTTP-RESPONSE-RELEASE

    Most HTTP commands should work in this event. The following commands are disallowed for HTTP_RESPONSE_RELEASE:
    
    HTTP::collect
    HTTP::collect
    HTTP::fallback
    HTTP::path
    HTTP::payload
    HTTP::redirect
    HTTP::release
    HTTP::respond
    HTTP::retry
    HTTP::uri
    

    Can you use HTTP_RESPONSE instead?

    N

  • Hi Nathan

     

    changed to HTTP_RESPONSE.. unfortunately with the same result. Any idea?

     

    Thanks

     

    Alex

     

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    Hi Alex, what do you see with a packet capture, or on the client using fiddler/httpwatch/httpfox?

    Also, could you try HTTP::redirect instead of HTTP::respond? HTTP::redirect sends a 302 as well so you'd just need:

    HTTP::redirect "${protocol}://${host}${path}error?supportid=$asm_support_id"

    See if that helps,

    N

  • hi Nathan

     

    with the HTTP::redirect it works, but not in all cases

     

    • if the ASM blocking is triggered by the GET URL (which contains the data that triggers the alarm), it's working
    • if the ASM blocking is triggered by data in POST, the redirect doesn't work

    Alex