Forum Discussion
NimbostratusASM::disable doesn't work
Hi all,
at the moment I'm a little bit embarrassed about disabling ASM from an irule. My intent by this irule is to bypass ASM for specific pathes (/test1/ and /test2/) for specified IP addresses (specified in datagroups test1-ips and test2-ips). The first part (HTTP_REQUEST) works as designed and the variable disable_asm is set properly. I also got both log messages from HTTP_CLASS_SELECTED. (so both if's are okay)
My problem only is ASM::disable, that this doesn't work: [HTTP::class asm] in both log messages are 1 (selected)
when HTTP_REQUEST {
set path [string tolower [HTTP::path]]
set remote_ip [getfield [IP::client_addr] "%" 1]
if { $path starts_with "/test1/" } {
set exception /test1/
if { [class match $remote_ip equals test1-ips] } {
set disable_asm 1
}
} elseif { $path starts_with "/test2/" } {
set exception /test2/
if { [class match [IP::client_addr] equals test2-ips] } {
set disable_asm 1
}
} else {
set disable_asm 0
}
}
when HTTP_CLASS_SELECTED {
if {$disable_asm==1}{
if {[HTTP::class asm]==1}{
log local5. "before disabling: Client:$remote_ip Class:[HTTP::class] ASM:[HTTP::class asm]"
ASM::disable
log local5. "after disabling: Client:$remote_ip Class:[HTTP::class] ASM:[HTTP::class asm]"
}
}
}
Can anyone give me a hint, where I can find the problem? (current Version is 11.3.0 - Build 3138.42)
Thanks for any advice, Philipp
7 Replies
David_StoutI don't think you need the "if {[HTTP::class asm]==1}{" statement as you are selecting the disabling against the disable_asm string being a value of 1 so the second if statement doesn't appear to be required.
We do the same thing but we don't use a datagroup for the URI list but just encode the lines directly into the iRule for the application and all under the HTTP_CLASS_SELECTED method. Example of the different ways we do this below.
when HTTP_CLASS_SELECTED { if { [IP::addr [IP::client_addr]/32 equals 10.x.x.x] } { ASM::disable return } elseif { [IP::addr [IP::client_addr]/26 equals 10.x.x.x] } { ASM::disable return } else { ASM::enable } if { [HTTP::header "User-Agent"] contains "Mozilla" } { ASM::disable return } set test_uri [string tolower [HTTP::uri]] if { $test_uri contains "/rpc" } { ASM::disable return } elseif { $test_uri contains "/owa" } { ASM::disable return } elseif { $test_uri contains "/microsoft-server-activesync" } { ASM::disable return } elseif { $test_uri contains "/ucm/cma/" } { ASM::disable return } elseif { $test_uri contains "/preview.aspx" } { ASM::disable return } else { ASM::enable } switch -glob $test_uri { "*.css" { set test_uri [string map {.css "" } $test_uri] } "*.gif" { set test_uri [string map {.gif "" } $test_uri] } "*.ico" { set test_uri [string map {.ico "" } $test_uri] } "*.jpg" { set test_uri [string map {.jpg "" } $test_uri] } "*.bmp" { set test_uri [string map {.bmp "" } $test_uri] } "*.doc" { set test_uri [string map {.doc "" } $test_uri] } "*.docx" { set test_uri [string map {.docx "" } $test_uri] } "*.dot" { set test_uri [string map {.dot "" } $test_uri] } "*.ico" { set test_uri [string map {.ico "" } $test_uri] } "*.mp3" { set test_uri [string map {.mp3 "" } $test_uri] } "*.pdf" { set test_uri [string map {.pdf "" } $test_uri] } "*.png" { set test_uri [string map {.png "" } $test_uri] } "*.pps" { set test_uri [string map {.pps "" } $test_uri] } "*.ppsx" { set test_uri [string map {.ppsx "" } $test_uri] } "*.ppt" { set test_uri [string map {.ppt "" } $test_uri] } "*.pptx" { set test_uri [string map {.pptx "" } $test_uri] } "*.swf" { set test_uri [string map {.swf "" } $test_uri] } "*.vsd" { set test_uri [string map {.vsd "" } $test_uri] } "*.wav" { set test_uri [string map {.wav "" } $test_uri] } "*.wma" { set test_uri [string map {.wma "" } $test_uri] } "*.xls" { set test_uri [string map {.xls "" } $test_uri] } "*.xlsx" { set test_uri [string map {.xlsx "" } $test_uri] } "*.zip" { set test_uri [string map {.zip "" } $test_uri] } default { return } } Verify method is GET if {not ([HTTP::method] eq "GET")}{ return } if { ([HTTP::method] eq "POST")}{ ASM::disable return } }
Philipp_Stadlerthat's fine - but it shouldn't make any difference, because the line if's, datagroups, and so on work fine, I got the log messages around the ASM::disable statement.
Cory_50405Noctilucent
How are you determining that ASM isn't being disabled?- Philipp_Stadler[HTTP::class asm] if it's 1 ASM is enabled, if it's 0 ASM is enabled (checked it on other HTTP Classes with ASM enabled/disabled.)
- Cory_50405'HTTP::class asm' should return 1 if a class has been selected, which it certainly has because you're inside of 'when HTTP_CLASS_SELECTED'. This event wouldn't fire if an HTTP class hadn't been selected. Is ASM incorrectly blocking traffic? Are you seeing some log messages that ASM is firing on these URIs that you don't want it to?
