For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dubdub's avatar
dubdub
Icon for Nimbostratus rankNimbostratus
Nov 06, 2012

A strange case for catching an exception

Environment: 11.1.0 HF2 custom EHF build I have an iRule associated with a virtual server that's protected by an APM policy. This VS usually has north of 12,000 concurrent users, and is extremely...
application delivery
dev
devops
iRules
Lucas_Thompson_'s avatar
Lucas_Thompson_
Historic F5 Account
Nov 07, 2012
Your proposal of using catch is the right way to do it.

 

Since HTTP::username reads the Authorization header, you'll probably want to dump that too in your log statement, and if it's a GET or POST too for good measure.

 

 

eg:

 

log local0. "Invalid username from [IP::remote_addr] using $myAgent , authorization: [HTTP::header authorization] method: [HTTP::method]"

 

 

Adding that extra stuff will give you a little better clue about what exactly is going on. It may give enough information to reproduce whatever the trouble is. I wonder if maybe it's doing that if the authorization header is malformed? maybe it's not good base64, or maybe it's missing?

 

 

Maybe another interesting thing to do, if you find that the authorization header is present but isn't working, is to do it manually instead of using HTTP::username, like in this example:

 

https://devcentral.f5.com/wiki/iRules.parse_username_from_http_requests_rule.ashx

 

One thing to note about that is that if a base64 decode is called against invalid data, it will also throw a runtime exception so you'd have to use the same sort of catch technique to avoid those.