Forum Discussion
James_Betts_290
Oct 19, 2016Cirrus
ASM issue, need to return HTTP 500 to client in certain cases
I've written a script that captures the "Content-Type" header from requests. In the event that ASM blocks the request, I need to respond to the client with one of three types of responses (I'm using ...
- Oct 19, 2016
This is not pretty but it works for the problem I had:
Note: 1. You must enable ASM events for the policy that you intend to invoke this with. 2. Make a custom blocking response page that is nothing but spaces and CR/LF that is as large as the iFile that you will be putting in ASM::payload. 3. In your iFile, use a "$" character where you want the ASM::support_ID to show when HTTP_REQUEST { set CT [string tolower [HTTP::header Content-Type]] log local0. "ASM-R-H: Content: $CT" } when ASM_REQUEST_BLOCKING { log local0. "ASM-R-H: Blocking Content: $CT" if the application type isn't SOAP then show the generic error if { ([string first $CT "application/soap"] < 0) && ([string first $CT "text/xml"] < 0) } { log local0. "ASM-R-H: HTML blocking [ASM::support_id]" ASM::payload replace 0 0 [string map "$ [ASM::support_id]" [ifile get "/Common/HTML-Error-Page"]] return } handle SOAP errors log local0. "ASM-R-H: XML blocking [ASM::support_id]" ASM::payload replace 0 0 [string map "$ [ASM::support_id]" [ifile get "/Common/SOAP-Error-Response"]] return } when ASM_REQUEST_DONE { if { not (([ASM::status] equals "blocked") || ([ASM::status] equals "alarmed")) } { return } if { ([string first $CT "application/json"] < 0) && ([string first $CT "application/javascript"] < 0) } { return } ASM::unblock log local0. "ASM-R-H: alarm status [ASM::status]" set JSONProblem [ASM::support_id] } when HTTP_RESPONSE { if { $JSONProblem == "" } { return } log local0. "ASM-R-H: alarm status $JSONProblem" HTTP::respond 500 content "Support ID $JSONProblem" }
MVA
Oct 19, 2016Nimbostratus
You might be able to do this by allowing 500 in policy under "Allowed Response status codes" and then capturing the response code with "when HTTP_RESPONSE" and evaluate whether to allow or block at that point, in an iRule.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects