Forum Discussion
MustphaBassim
Cirrus
Cirrusblock any URI with status 404 or 403
Hello Dears
i want to create irule that block any traffic come to server with status would be 404 or 403 so any suggestion please?
Bests
- Daniel_Wolf
MVP
Hi MustphaBassim,
it is not possible to block a request that will cause a 403 or 404. The BIG-IP can not know the response of the server at request time.
However you can use an iRule to block responses that contain status codes 403 or 404.Take a look here, there are some examples: https://clouddocs.f5.com/api/irules/HTTP_RESPONSE.html
KR
Daniel- Daniel_Wolf
some solutions
1. respond with HTTP 200
when HTTP_RESPONSE priority 500 { if { [HTTP::status] == 403 || [HTTP::status] == 404 } { HTTP::respond 200 -version auto content {<html><head><title>Apologies</title></head><body>Access to this page is currently not possible.</body></html>} noserver } }2. respond with HTTP 204
when HTTP_RESPONSE priority 500 { if { [HTTP::status] == 403 || [HTTP::status] == 404 } { HTTP::respond 204 -version auto noserver } }3. respond with TCP reset
when HTTP_RESPONSE priority 500 { if { [HTTP::status] == 403 || [HTTP::status] == 404 } { reject } }Paulius - I think your suggestions won't work with dynamically generated URLs.
- Paulius
Daniel_Wolf you are absolutely correct. Blocking before the server even knows what the request is to respond with a 403 or 404 isn't really something that's possible I don't believe, at least on the initial client request. Your option of modifying the response is the best alternative but still allows the request to make it to the pool member. I think in this instance we really need to know the reason for blocking these requests at the F5 rather than the server so we can come up with the appropriate solution for MustphaBassim but we shall see what they come back with.
- Nikoolayy1
If you have ASM/WAF there is an easy build-in option to block response codes Overview of BIG-IP ASM HTTP response code filtering (f5.com) If not then the irule option was already mentioned.
- Paulius
I don't know if this is possible because the F5 would need to know about the page not existing prior to sending the request to it and since the server would be the one responding with this message it would require the request be sent to the server in the first place. The only other thing I can think of is creating multiple data-groups that have a list of every sites files and then match against that but that really isn't feasible. Any particular reason you want to block 404 and 403 outright without sending it to the server?
