Forum Discussion
Eljay
Cirrus
CirrusBypassing ASM on HTTP response
Is it possible to prevent ASM from blocking responses when there's a specific HTTP header present in the HTTP response? Let's say we block responses with HTTP status code 500 by default in our securi...
Try with an iRule. use appropriate asm policy name.
Use logging to see if condition is getting triggered and then it can be disabled.
when HTTP_RESPONSE { ASM::enable "/common/asm_policy" if { ([HTTP::status] == 500) and ([HTTP::header value Content-Type] eq "application/problem-handled-return-to-client") }{ log local0.info "disable asm" ASM::disable return } }
spalande
Nacreous
NacreousASM::disable is valid command in HTTP_RESPONSE event.
If you want to use generic one, you can remove ASM::enable command at the start of the iRule and test it ASM gets enabled in the response for every and all subsequent events after a match. But F5 recommends to enable it before disabling for specific traffic.
EljayCirrus
CirrusSomething isn't working as expected. I use this simple code which I cut and pasted from https://clouddocs.f5.com/api/irules/HTTP_RESPONSE.html and made only a small change inside the IF-statement :
when HTTP_RESPONSE {
if { [HTTP::status] contains "500"} {
log local0.debug "HTTP_RESPONSE - err: 500"
}
}But when I make a request that triggers a 500 status code then I get this message in the LTM log:
<date removed> <host removed> err tmm[14816]: 01220001:3: TCL error: /Common/asm-override <HTTP_RESPONSE> - Can't call after responding - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::status"
We are using v15.1.2.1 with an Eng Hotfix.
Yiğit_UsluCan't call after responding means most probably an event overlap is occurring. Checkout if there is another rule or policy attached to VS with HTTP_RESPONSE event.
If so, combine both HTTP_RESPONSE event content in one iRule.
Hope this helps
- Eljay
Thank you! When I browsed through the other iRules, then I found an iRule that was executed before this one. Thanks a lot! 🙂