Forum Discussion
block any URI with status 404 or 403
Hello Dears
i want to create irule that block any traffic come to server with status would be 404 or 403 so any suggestion please?
Bests
Hi MustphaBassim,
it is not possible to block a request that will cause a 403 or 404. The BIG-IP can not know the response of the server at request time.
However you can use an iRule to block responses that contain status codes 403 or 404.Take a look here, there are some examples: https://clouddocs.f5.com/api/irules/HTTP_RESPONSE.html
KR
Danielsome solutions
1. respond with HTTP 200
when HTTP_RESPONSE priority 500 { if { [HTTP::status] == 403 || [HTTP::status] == 404 } { HTTP::respond 200 -version auto content {<html><head><title>Apologies</title></head><body>Access to this page is currently not possible.</body></html>} noserver } }
2. respond with HTTP 204
when HTTP_RESPONSE priority 500 { if { [HTTP::status] == 403 || [HTTP::status] == 404 } { HTTP::respond 204 -version auto noserver } }
3. respond with TCP reset
when HTTP_RESPONSE priority 500 { if { [HTTP::status] == 403 || [HTTP::status] == 404 } { reject } }
Paulius - I think your suggestions won't work with dynamically generated URLs.
Daniel_Wolf you are absolutely correct. Blocking before the server even knows what the request is to respond with a 403 or 404 isn't really something that's possible I don't believe, at least on the initial client request. Your option of modifying the response is the best alternative but still allows the request to make it to the pool member. I think in this instance we really need to know the reason for blocking these requests at the F5 rather than the server so we can come up with the appropriate solution for MustphaBassim but we shall see what they come back with.
If you have ASM/WAF there is an easy build-in option to block response codes Overview of BIG-IP ASM HTTP response code filtering (f5.com) If not then the irule option was already mentioned.
I don't know if this is possible because the F5 would need to know about the page not existing prior to sending the request to it and since the server would be the one responding with this message it would require the request be sent to the server in the first place. The only other thing I can think of is creating multiple data-groups that have a list of every sites files and then match against that but that really isn't feasible. Any particular reason you want to block 404 and 403 outright without sending it to the server?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com