Forum Discussion
Albert_252822
Nimbostratus
NimbostratusASM iRule events not working
Hi all,
I activated this irule in my Virtual Server:
when HTTP_REQUEST {
set redirect 0
set requri [HTTP::uri]
}
when ASM_REQUEST_BLOCKING {
set redirect 1
}
when HTTP_RESPONSE {...
Kai_Wilke
MVP
MVPHi Folks,
in the past I've experienced some major issues using the regular ASM redirect responses pointing to an ASM enabled default/error page.
The problem was that a poorly written Bot/Crawler/VA-Scanner was getting blocked because of its User-Agent information. The client was able to follow the ASM redirects, resulting in another blocked request and then just ended up in an endless redirect loop, which had consumed lots of system ressources over hours.
I've analysed the possibilities to manipulate the default blocking page behavior and ended up with a solution which detects HTTP::redirect loops and retrives the [ASM::support_id] during ASM_REQUEST_DONE and then manipulated the regular ASM violation page response, to become either a JScript redirect page or a static 200 OK error page, using the [ASM::payload] command during ASM_REQUEST_BLOCKING event.
Note: The iRule passes the RequestID to the redirected site as a B64encoded query string. The query string is then used to detect the redirect loop and send the 200OK response displaying the RequestID of the initial violation.
Integration iRule event:
when HTTP_REQUEST {
if { [HTTP::host] eq "www.site.de" } then {
set ASM_Policy_Violation_Page_URL "/default.aspx"
} elseif { [HTTP::host] eq "www2.site.de" } then {
set ASM_Policy_Violation_Page_URL "/sites/default.aspx"
}
}
ASM iRule Events:
when ASM_REQUEST_DONE {
Purpose : The GLOBAL_ASM_ViolationPage_Selector file is responsible
for controling redirects to different ASM errorpages.
Author : Kai Wilke (kw@itacs.de)
Date : 16.01.2015
Version : v3.1 (Build 3100.0)
Dependencies : Enable "Trigger ASM iRule Events"
Enable "Normal" ASM iRules Event mode
Set Violation Page response to "Default Response"
set debug 0
set log_prefix "Debug: \"[HTTP::uri]\" >"
if { $debug } { log -noname local0. "$log_prefix --- Entering \"ASM_Selector\" ASM_REQUEST_DONE iRule ---" }
if { [ASM::status] eq "blocked" } then {
Handler for ASM Policy Violations
if { $debug } { log -noname local0. "$log_prefix +++ Entering \"ASM_Policy_Violation\" Handler +++" }
if { $debug } { log -noname local0. "$log_prefix An ASM Policy Violation ocoured. Evalutating error page settings for this request and preparing the response." }
if { [info exist ASM_Policy_Violation_Page_URL] } then {
Handler for ASM Violation Custom Error Pages
if { [URI::query [HTTP::uri] RequestID] eq "" } then {
Handler for ASM Violation Custom ErrorPage redirects
if { $debug } { log -noname local0. "$log_prefix The HTTP-Request does not contain a \"RequestID\" query string. Preparing redirect to \"$ASM_Policy_Violation_Page_URL\" handler." }
set asm_policy_violation_response "$ASM_Policy_Violation_Page_URL?RequestID= [b64encode "SupportID: [ASM::support_id]"]"
} else {
Handler for ASM Violation Redirect Loop Detection
if { $debug } { log -noname local0. "$log_prefix HTTP-Request contains a \"RequestID\" query string. Disabling the custom page redirects to avoid loops." }
if { $debug } { log -noname local0. "$log_prefix Enumerating the existing ASM Violation ID and setting up the static violation error page." }
catch { b64encode [b64decode [URI::query [HTTP::uri] RequestID]] } asm_policy_violation_existing_id
if { $asm_policy_violation_existing_id eq "" } then {
if { $debug } { log -noname local0. "$log_prefix Existing ASM Violation ID couldnt be retrieved. Generating empty session id within custom response." }
set asm_policy_violation_response "200ok U3VwcG9ydElEOiBNYWxmb3JtZWQgU3VwcG9ydElEIHJlY2VpdmVk"
} else {
if { $debug } { log -noname local0. "$log_prefix Existing ASM Violation ID retrieved successfully. Using existing session id within custom response." }
set asm_policy_violation_response "200ok $asm_policy_violation_existing_id"
}
unset -nocomplain asm_policy_violation_existing_id
}
if { $debug } { log -noname local0. "$log_prefix +++ Leaving \"ASM_Policy_Violation_Custom_ErrorPages\" Handler +++" }
unset -nocomplain ASM_Policy_Violation_Page_URL
} else {
Handler for ASM Violation Static Error Page
if { $debug } { log -noname local0. "$log_prefix +++ Entering \"ASM_Policy_Violation_Static_ErrorPage\" Handler +++" }
if { $debug } { log -noname local0. "$log_prefix Setting up the static violation error page and sending page to the client." }
set asm_policy_violation_response "200ok [b64encode "SupportID: [ASM::support_id]"]"
if { $debug } { log -noname local0. "$log_prefix +++ Leaving \"ASM_Policy_Violation_Static_ErrorPage\" Handler +++" }
}
}
if { $debug } { log -noname local0. "$log_prefix --- Leaving \"ASM_Selector\" ASM_REQUEST_DONE iRule ---" }
}
when ASM_REQUEST_BLOCKING {
set debug 0
set log_prefix "Debug: \"[HTTP::uri]\" >"
Handler for ASM Violation Blocking Page Overwrite
if { $debug } { log -noname local0. "$log_prefix --- Entering \"ASM_Selector\" ASM_REQUEST_BLOCKING iRule ---" }
if { $debug } { log -noname local0. "$log_prefix Evaluate \"asm_policy_violation_response\" parameter to decide if client side redirect code are required." }
if { $asm_policy_violation_response starts_with "200ok " } then {
Handler for ASM Violation Static Error Page
if { $debug } { log -noname local0. "$log_prefix +++ Entering \"ASM_Policy_Violation_Static_ErrorPage\" Handler +++" }
if { $debug } { log -noname local0. "$log_prefix Setting up the violation error page without client side redirect code." }
set response "
Illegal Request
StatusAn illegal request was received.
SupportID[lindex $asm_policy_violation_response 1]
"
if { $debug } { log -noname local0. "$log_prefix +++ Leaving \"ASM_Policy_Violation_Static_ErrorPage\" Handler +++" }
} else {
Handler for ASM Violation Custom Error Page Redirect
if { $debug } { log -noname local0. "$log_prefix +++ Entering \"ASM_Policy_Violation_Custom_ErrorPage_Redirect\" Handler +++" }
if { $debug } { log -noname local0. "$log_prefix Setting up the violation error page with client side redirect code." }
set response "
Illegal Request
StatusAn illegal request was received.
SupportID[lindex $asm_policy_violation_response 1]
"
if { $debug } { log -noname local0. "$log_prefix +++ Leaving \"ASM_Policy_Violation_Custom_ErrorPage_Redirect\" Handler +++" }
}
unset -nocomplain asm_policy_violation_response
Handler for ASM Violation Custom Error Page replacement
if { $debug } { log -noname local0. "$log_prefix +++ Entering \"ASM_Policy_Violation_Custom_ErrorPage_Replacement\" Handler +++" }
if { $debug } { log -noname local0. "$log_prefix Erasing the global definied ASM blocking page." }
ASM::payload replace 0 [ASM::payload length] ""
if { $debug } { log -noname local0. "$log_prefix Setting the custom ASM blocking page." }
ASM::payload replace 0 0 $response
unset -nocomplain response
if { $debug } { log -noname local0. "$log_prefix Adjusting the \"Content-Length\" to reflect new \"ASM_Payload_Length\"." }
HTTP::header remove Content-Length
HTTP::header insert Content-Length [ASM::payload length]
if { $debug } { log -noname local0. "$log_prefix +++ Leaving \"ASM_Policy_Violation_Custom_ErrorPage_Replacement\" Handler +++" }
if { $debug } { log -noname local0. "$log_prefix --- Leaving \"ASM_Selector\" ASM_REQUEST_BLOCKING iRule ---" }
}
Cheers, Kai