Forum Discussion

MustphaBassim's avatar
Mar 23, 2024

block any URI with status 404 or 403

Hello Dears

 

i want to create irule that block any traffic come to server with status would be 404 or 403 so any suggestion please?

 

Bests

    • Daniel_Wolf's avatar
      Daniel_Wolf
      Icon for MVP rankMVP

      some solutions

      1. respond with HTTP 200

      when HTTP_RESPONSE priority 500 {
          if { [HTTP::status] == 403 || [HTTP::status] == 404 } {
              HTTP::respond 200 -version auto content {<html><head><title>Apologies</title></head><body>Access to this page is currently not possible.</body></html>} noserver
          }   
      }

      2. respond with HTTP 204

      when HTTP_RESPONSE priority 500 {
          if { [HTTP::status] == 403 || [HTTP::status] == 404 } {
              HTTP::respond 204 -version auto noserver
          }   
      }

      3. respond with TCP reset

      when HTTP_RESPONSE priority 500 {
          if { [HTTP::status] == 403 || [HTTP::status] == 404 } {
              reject
          }   
      }

       

      Paulius - I think your suggestions won't work with dynamically generated URLs.

      • Paulius's avatar
        Paulius
        Icon for MVP rankMVP

        Daniel_Wolf you are absolutely correct. Blocking before the server even knows what the request is to respond with a 403 or 404 isn't really something that's possible I don't believe, at least on the initial client request. Your option of modifying the response is the best alternative but still allows the request to make it to the pool member. I think in this instance we really need to know the reason for blocking these requests at the F5 rather than the server so we can come up with the appropriate solution for MustphaBassim but we shall see what they come back with.

  • I don't know if this is possible because the F5 would need to know about the page not existing prior to sending the request to it and since the server would be the one responding with this message it would require the request be sent to the server in the first place. The only other thing I can think of is creating multiple data-groups that have a list of every sites files and then match against that but that really isn't feasible. Any particular reason you want to block 404 and 403 outright without sending it to the server?