Forum Discussion
ASM issue, need to return HTTP 500 to client in certain cases
- Oct 19, 2016
This is not pretty but it works for the problem I had:
Note: 1. You must enable ASM events for the policy that you intend to invoke this with. 2. Make a custom blocking response page that is nothing but spaces and CR/LF that is as large as the iFile that you will be putting in ASM::payload. 3. In your iFile, use a "$" character where you want the ASM::support_ID to show when HTTP_REQUEST { set CT [string tolower [HTTP::header Content-Type]] log local0. "ASM-R-H: Content: $CT" } when ASM_REQUEST_BLOCKING { log local0. "ASM-R-H: Blocking Content: $CT" if the application type isn't SOAP then show the generic error if { ([string first $CT "application/soap"] < 0) && ([string first $CT "text/xml"] < 0) } { log local0. "ASM-R-H: HTML blocking [ASM::support_id]" ASM::payload replace 0 0 [string map "$ [ASM::support_id]" [ifile get "/Common/HTML-Error-Page"]] return } handle SOAP errors log local0. "ASM-R-H: XML blocking [ASM::support_id]" ASM::payload replace 0 0 [string map "$ [ASM::support_id]" [ifile get "/Common/SOAP-Error-Response"]] return } when ASM_REQUEST_DONE { if { not (([ASM::status] equals "blocked") || ([ASM::status] equals "alarmed")) } { return } if { ([string first $CT "application/json"] < 0) && ([string first $CT "application/javascript"] < 0) } { return } ASM::unblock log local0. "ASM-R-H: alarm status [ASM::status]" set JSONProblem [ASM::support_id] } when HTTP_RESPONSE { if { $JSONProblem == "" } { return } log local0. "ASM-R-H: alarm status $JSONProblem" HTTP::respond 500 content "Support ID $JSONProblem" }
Mel, I believe "Allowed Response Status Codes" only applies to the responses generated by the protected application. Response codes generated on the F5 are permitted regardless of whether they're on the Allowed list or not. The purpose of "Allowed Response Status Codes" is to prevent a broken application from leaking too much information about itself when attacked.
Also, as OP noted, HTTP_RESPONSE doesn't trigger if the ASM steps in and blocks the request before it's sent to the pool. HTTP_RESPONSE_RELEASE does, though.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com