Forum Discussion
nrelihan_68143
Nimbostratus
NimbostratusBlacklist iRule Chrome browser Problem
Hey all,
I have an issue when I do a scan on the http payload using chrome I can't find the following value "reqID=doLogin".
When running in ie or Firefox I have no such issue.
If I don't look for this payload info, and just a post method chrome has no issue with the iRule.
if { [HTTP::payload] contains "reqID=doLogin" && [HTTP::method] equals "POST" }
Also, if I simply just try and write the whole HTTP::payload value to a log it doesn't seem to be catching it in Chrome.
When this iRule is assigned to the Virtual Server (iBB in this case):
1.Check any user that attempts a login.
2.Check if the user is on either the Blacklist or Watchlist based upon that user IP after attempted login.
3.If the user is on the Balcklist, log and deny the user access to progress.
4.If the user is on the Watchlist, log and allow the user access to progress.
Browser version: IE 8 - Firefox 5.0 - Chrome 12.0.742.91
Has anyone had issues with Chrome before?
Thanks for your time.
Neil
nrelihan_68143Heres the code: for some reason I couldnt include it in the post!
when HTTP_REQUEST
{
If { [HTTP::payload] contains "reqID=doLogin" && [HTTP::method] equals "POST" }
reqID is the unique identifier for the login page
{
if {[HTTP::header exists X-Forwarded-For]}
See note below
{ HTTP::header replace X-Forwarded-For "[HTTP::header X-Forwarded-For], [IP::client_addr]" }
else { HTTP::header insert X-Forwarded-For [IP::client_addr] }
If { [matchclass [IP::remote_addr] equals $::ipBlackListTable] }
If the IP exists within the ipBlackListTable, block user from advancing once details are logged
{
HTTP::header insert X-Forwarded-For [IP::remote_addr]
set usrid [findstr [HTTP::payload] "username=" 9 "&"]
Find the username with in the http payload – located between the 9 character and &
log local1. "[clock format [clock seconds]] - BLACKLIST: Username = $usrid from [IP::remote_addr] - requested [HTTP::host][HTTP::uri] - asdf."
log the result to local1 (/var/log/em) in the stated format
What is written to this log is the basis to what will be emailed to the business.
HTTP::redirect "http://[HTTP::host][HTTP::uri]"
Once logged send user to and error page – thus black listing the user
}
elseif { [matchclass [IP::remote_addr] equals $::ipWatchListTable] }
If the IP exists within the ipWatchListTable, allow user to advance once details are logged
{
HTTP::header insert X-Forwarded-For [IP::remote_addr]
set usrid [findstr [HTTP::payload] "username=" 9 "&"]
Find the username with in the http payload – located between the 9 character and &
log local1. "[clock format [clock seconds]] - WATCHLIST: Username = $usrid from [IP::remote_addr] - requested [HTTP::host][HTTP::uri] - asdf."
log the result to local1 (/var/log/em) in the stated format
What is written to this log is the basis to what will be emailed to the business.
}
}
}- nrelihan_68143.
hooleylistCirrostratus
Can you use tcpdump or logging in the iRule to log the HTTP request headers (and ideally the payload) to see what might be different with the Chrome requests?
Also which LTM version are you using this iRule on?
Aaron- nrelihan_68143Hey Aaron,
Yes I can try do a tcpdump to log the HTTP request headers, but do you know what flags you need to capture headers?
The LTM version is 10.2
Thanks,
Neil - hooleylistIf you record the tcpdump to a file you can use the -s0 flag to record the full packets. You can then use Wireshark on your workstation to analyze the tcpdump. Here's an example command:
tcpdump -i 0.0 -s0 -w/var/tmp/chrome.dmp host CLIENT_IP
You can use WinSCP to copy the tcpdump file from LTM to your Windows host.
Aaron 
Paul_Ryan_73610Hi Aaron,
Do you think could be a chrome specific issue as it works fine in IE and Firefox.... Is there any other tools you recommend at the browser level I could do testing with?
Thanks- Paul_Ryan_73610Just to confirm from the request headers I do see the information in Chrome but the iRule will still not fire, request headers in Firefox are also the same but it works..
- hooleylistSorry I missed this the first time. You're looking for a POST request with a parameter of reqID equal to doLogin in HTTP_REQUEST. To guarantee that TMM is returning the full request payload using HTTP::payload, you need to collect it using HTTP::collect. I'm guessing Chrome isn't sending the reqID=doLogin string in the payload in the first packet(s) TMM buffers to parse the HTTP headers. So first, you could add logging in HTTP_REQUEST of [HTTP::payload] to confirm this. And then you could add logic like this to trigger payload collection:
From http://devcentral.f5.com/wiki/default.aspx/iRules/http__collect when HTTP_REQUEST { log local0. "UA: [HTTP::header User-Agent]" log local0. "Current payload: ([HTTP::payload length] bytes) [HTTP::payload]" Trigger collection for up to 1MB of data if {[HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] <= 1048576}{ set content_length [HTTP::header "Content-Length"] } else { set content_length 1048576 } Check if $content_length is not set to 0 if { content_length > 0} { HTTP::collect $content_length } } when HTTP_REQUEST_DATA { log local0. "Current payload: ([HTTP::payload length] bytes) [HTTP::payload]" do stuff with the payload set payload [HTTP::payload] }
Aaron - hooleylistAlso, if you're on 9.4.4 or higher, you should remove the $:: prefix from the datagroup names to preserve CMP compatibility:
http://devcentral.f5.com/wiki/default.aspx/iRules/CMPCompatibility.html
And since you're on 10.x you should replace the matchclass command with class match. It should perform better.
http://devcentral.f5.com/wiki/default.aspx/iRules/class
Aaron - Paul_Ryan_73610Hi Aaron,
Thanks, can you specify how to add logging in HTTP_REQUEST of [HTTP::payload]
Many thanks