Forum Discussion
Bob_10976
Nimbostratus
NimbostratusBlocking Specific User-Agent
Hello all,
I'm attempting to block any traffic that comes in with the User-Agent that contains github.com/tenderlove/mechanize. Using the fourms I came up with the below iRule, however I'm getting an error message when I check it. I'm not sure what I'm missing.
when HTTP_REQUEST {
if { HTTP::header "User-Agent" contains "github.com/tenderlove/mechanize"} {
reject
}
}Error on check: line 2: [parse error: PARSE syntax 32 {syntax error in expression " HTTP::header "User-Agent" contains "github.com/tenderlove/m...": variable references require preceding $}] [{ HTTP::header "User-Agent" contains "github.com/tenderlove/mechanize"}]
Any thoughts on or suggetions?
Thanks,
Bob
hooleylistCirrostratus
Hi Bob,
You need square braces around the HTTP::header command:when HTTP_REQUEST { log local0. "[IP::client_addr]:[TCP::client_port]: User-Agent: [string tolower [HTTP::header "User-Agent"]] requested [HTTP::host][HTTP::uri]" if { [string tolower [HTTP::header "User-Agent"]] contains "github.com/tenderlove/mechanize"} { log local0. "[IP::client_addr]:[TCP::client_port]: Rejected request" reject } }
Aaron
Bob_10976Thank you!- Bob_10976
Not sure what I'm doing wrong here, but the rule doesn't appear to be working as expected. Using Firefox addon I can change my user agent to show the github info and I can confirm in the IIS logs that the user agent is showing the github info, but the traffic isn't being dropped.
I'd like to add some logging so that I can confirm the rule is seeing the user-agent info but that doesn't seem to be working either.when HTTP_REQUEST { log local0. "User-Agent:[HTTP::header "User-Agent"]" if { [HTTP::header "User-Agent"] contains "github.com/tenderlove/mechanize"} { reject } } [\code] Any thoughts or suggetions on what I can do better here? Thanks, Bob - hooleylistHi Bob,
I added some debug logging to the example above and set the User-Agent header value to lower case for the comparison. Can you give that a try and check /var/log/ltm for the debug log output?
Aaron - Bob_10976Thanks Hoolio.. But I nothing is reporting, either through the BigIP Browser GUI or in the /var/log/ltm Its a if the traffic isn't going through that VS, but I'm postitive its the right one..
Thoughts?
Bob - Bob_10976Thanks Hoolio.. But I nothing is reporting, either through the BigIP Browser GUI or in the /var/log/ltm Its a if the traffic isn't going through that VS, but I'm postitive its the right one..
Thoughts?
Bob - hooleylistCan you try testing from the command line of the BIG-IP to the virtual server using curl?
HTTP
curl -v http://1.1.1.1:80/ -H "User-Agent: github.com/tenderlove/mechanize"
HTTPS
curl -vk https://1.1.1.1:80/ -H "User-Agent: github.com/tenderlove/mechanize"
If you still don't see anything logged, do you have any custom syslog configuration that would be sending the logs off the box or to another file instead of /var/log/ltm?
Aaron - Bob_10976Ok..I think I found the issue..or at least the start of the problem. When I logged into the LTM via putty I noticed my Primary is now the Secondary.. I've got to figure out when and why they switched before I move forward.
Thanks
Bob