For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mike_Graston_10's avatar
Mike_Graston_10
Icon for Nimbostratus rankNimbostratus
Mar 13, 2007

401 response with message and logging

I have a scenerio where I am not sure on how to do this. I would like to filter a uri that contains the string /abc. Any ip address that hits it I would like to log and send back a 401 Unauthorized page to the user and a message that their IP address has been logged as "client IP". Also i would need to know where the log messages go, as you might have figured I haven't worked with logging at all. I don't want to log every IP just the ones that hit this rule, and I don't know if I need to add an elseif statement to continue sending others who don't meet this criteria to the pool or web servers?

 

 

when HTTP_REQUEST {

 

if { [string tolower [HTTP::uri]] contains "/abc"} {

 

HTTP::respond 401

 

}

 

}
application delivery
dev
devops
iRules

4 Replies

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Mar 13, 2007
    log local0. "Client IP is [IP::client_addr]"

     

     

    This will go to /var/log/ltm

     

     

    If the condition isn't met (ie, the default behavior) then traffic will follow your virtual / pool configuration.

     

     

    HTH...Jason
  • Mike_Graston_10's avatar
    Mike_Graston_10
    Icon for Nimbostratus rankNimbostratus
    Mar 13, 2007
    So let me get this right, The log will only populate if the condition is met as containing /abc.

     

     

    when HTTP_REQUEST {

     

    if { [string tolower [HTTP::uri]] contains "/abc"} {

     

    log local0. "Client IP is [IP::client_addr]"

     

    HTTP::respond 401

     

    TCP::close

     

    }

     

    }

     

     

    Can I add to the 401 page so that the client sees the message - Your IP address "[IP::client_addr]" has been logged?

     

     

    Also if the condition is met I would like to terminate the session?

     

    Also you said it would go to the virtual server then to be processed normally?
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Mar 13, 2007
    Yes you can sho the client that you are logging his IP in the response, check out this thread for specifics->

     

     

    Connections not meeting the conditional ( contains /abc) with be processed *normally*, so no logging will occur, and no 401 response initiated by BigIP will be sent.
  • Mike_Graston_10's avatar
    Mike_Graston_10
    Icon for Nimbostratus rankNimbostratus
    Mar 13, 2007
    OK, not quite there yet,

     

    1. no loging is happening to the /var/log/ltm file?

     

    2. I need to attempt to login, i tried a coule different reponse codes? looks ugly!

     

     

    when HTTP_REQUEST {

     

    if { [string tolower [HTTP::uri]] contains "/abc"} {

     

    log local0. "Client IP is [IP::client_addr]"

     

    HTTP::respond 401 content "Apology PageThis

     

    is an unauthorized destination from your current location.Your IP address has been logged>"

     

    }

     

    }