Confusing TCL error in Irule.

Question

I have included my irule below for review if needed (I may have to include it in a separate post or two posts due to length. I would remove the comments, but I want to keep the what is there exactly for review.
I don't see anything that looks off with the iRule, but it is immediately invoking this error when people are trying to go to mywebsite.com/my/portal:
Dec  9 17:27:33 BigIP-corp err tmm[11991]: 01220001:3: TCL error: /internal/myewebsite.com_with_MaintenancePage_443_irule  - extra switch pattern with no body     while executing "switch -glob [string tolower [HTTP::host]] {  "workhere.com"   {     log local0. "Matched workhere.com. Host:[HTTP::host] - URI: [HTTP::uri]..."
Thanks.

gdoyle · Answer

when HTTP_REQUEST {
switch -glob [string tolower [HTTP::host]] {
"workhere.com"   {
    log local0. "Matched workhere.com. Host:[HTTP::host] - URI: [HTTP::uri]."
    HTTP::header insert HttpsIndicatorHeader True
    HTTP::respond 301 "Location" "http://workhere.com[HTTP::uri]"
    }

{
"mywebsite*" {

"/my/website"     -
      "/my/website/"    -
      "/"               - 
      { 
    log local0. "Redirecting based on /my/website. Host: [HTTP::host] - URI: [HTTP::uri]."
        HTTP::header insert HttpsIndicatorHeader True
        HTTP::respond 301 "Location" "https://www.mywebsite.com/my/website/mywebsite-com" 
        event disable
       }

"/redirect.nsf*"  -
      "/icons*"         -
      "/internet*"      -
      "/admin*"         -
      "/login*"   - 
      "/intranet*"      -
      { 
     log local0. "Redirecting based on section 2. Host:[HTTP::host] - URI: [HTTP::uri]."

This section prints the active members in the Pool1 to the logs
 if this section of the irule is invoked.

set thispool "Pool1"
      foreach { pmem } [members -list $thispool] {
        log local0. "$thispool - [getfield $pmem " " 1] [LB::status pool $thispool member [getfield $pmem " " 1] [getfield $pmem " " 2]]"
       }
 
 This next section states that if there are more than 0 pool members are active in the Pool1 
 then the user is redirected there, else they are presented a Maintenance Page.

if { [active_members Pool1] &gt; 0 } {
           log local0. "Sending to Pool1."
              pool Pool1 
              HTTP::header insert HttpsIndicatorHeader True
          } else {
           log local0. "Sending to MX Page for Pool1."
              HTTP::respond 503 content [ifile get "/external/mywebsite_MaintenancePage_ifile"] noserver "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate"
              return
          }
      }

"*/hrp/*"
      { 
        log local0. "Redirecting based on hrp. Host: [HTTP::host] - URI: [HTTP::uri]."

This section prints the active members in the Pool2 to the logs
 if this section of the irule is invoked.

set thispool "Pool2"
      foreach { pmem } [members -list $thispool] {
        log local0. "$thispool - [getfield $pmem " " 1] [LB::status pool $thispool member [getfield $pmem " " 1] [getfield $pmem " " 2]]"
       }
 
 This next section states that if there are more than 0 pool members are active in the Pool2 
 then the user is redirected there, else they are presented a Maintenance Page.

if { [active_members Pool2] &gt; 0 } {
            log local0. "Sending to Pool2."
              pool Pool2
              HTTP::header insert HttpsIndicatorHeader True
          } else {
            log local0. "Sending to MX Page for the Pool2."
              HTTP::respond 503 content [ifile get "/external/mywebsite_MaintenancePage_ifile"] noserver "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate"
              return
          }
       }

"*/netss"
      { 
        log local0. "Redirecting based on /netss. Host: [HTTP::host] - URI: [HTTP::uri]."

This section prints the active members in the Pool3 to the logs
 if this section of the irule is invoked.

set thispool "Pool3"
      foreach { pmem } [members -list $thispool] {
        log local0. "$thispool - [getfield $pmem " " 1] [LB::status pool $thispool member [getfield $pmem " " 1] [getfield $pmem " " 2]]"
       }
 
 This next section states that if there are more than 0 pool members are active in the Pool3 
 then the user is redirected there, else they are presented a Maintenance Page.

if { [active_members Pool3] &gt; 0 } {
            log local0. "Sending to Pool3."
              pool Pool3
              HTTP::header insert HttpsIndicatorHeader True
          } else {
            log local0. "Sending to MX Page for the Pool3."
              HTTP::respond 503 content [ifile get "/external/mywebsite_MaintenancePage_ifile"] noserver "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate"
              return
          }
       }

default { 
      log local0. "Redirecting based on default. Host: [HTTP::host] - URI: [HTTP::uri]."

This section prints the active members in the mywebsite.com_pool to the logs
 if this section of the irule is invoked.

set thispool "mywebsite.com_pool"
      foreach { pmem } [members -list $thispool] {
        log local0. "$thispool - [getfield $pmem " " 1] [LB::status pool $thispool member [getfield $pmem " " 1] [getfield $pmem " " 2]]"
       }
 
 This next section states that if there are more than 0 pool members are active in the mywebsite.com_pool 
 then the user is redirected there, else they are presented a Maintenance Page.

if { [active_members mywebsite.com_pool] &gt; 0 } {
            log local0. "Sending to the mywebsite.com_pool."
              pool mywebsite.com_pool 
              HTTP::header insert HttpsIndicatorHeader True              
          } else {
            log local0. "Sending to MX Page for the mywebsite.com_pool."
              HTTP::respond 503 content [ifile get "/external/mywebsite_MaintenancePage_ifile"] noserver "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate"
              return
          }

}
   }
  }
 }
}

stanislas_piro2 · Answer

Like 9 : the opening curly bracket must be removed..
Like 11 : a switch command is missing :
switch -glob [string tolower [HTTP::uri]] {

Line 17 : useless command (insert a http header in request to server) as next command is a respond to client
Line 19 : why do you want an attacker to be allowed to bypass this irule or any other irule attached to the virtual server for next http requests within the current tcp connection? If you want to exit the current irule, use “return” command
...

Forum Discussion

Confusing TCL error in Irule.

2 Replies

Recent Discussions

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Enabling AVR and creating Profiles

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

Related Content

Cache Confusion

Insufficient permissions BIG-IQ login error

iRULE regsub error

Simple Sideband - iRule sideband the easy way

Create iRule REST error: Found invalid JSON body in the request