Forum Discussion
gdoyle
Cirrostratus
CirrostratusConfusing TCL error in Irule.
I have included my irule below for review if needed (I may have to include it in a separate post or two posts due to length. I would remove the comments, but I want to keep the what is there exactly for review.
I don't see anything that looks off with the iRule, but it is immediately invoking this error when people are trying to go to mywebsite.com/my/portal:
Dec 9 17:27:33 BigIP-corp err tmm[11991]: 01220001:3: TCL error: /internal/myewebsite.com_with_MaintenancePage_443_irule - extra switch pattern with no body while executing "switch -glob [string tolower [HTTP::host]] { "workhere.com" { log local0. "Matched workhere.com. Host:[HTTP::host] - URI: [HTTP::uri]..."Thanks.
gdoylewhen HTTP_REQUEST { switch -glob [string tolower [HTTP::host]] { "workhere.com" { log local0. "Matched workhere.com. Host:[HTTP::host] - URI: [HTTP::uri]." HTTP::header insert HttpsIndicatorHeader True HTTP::respond 301 "Location" "http://workhere.com[HTTP::uri]" } { "mywebsite*" { "/my/website" - "/my/website/" - "/" - { log local0. "Redirecting based on /my/website. Host: [HTTP::host] - URI: [HTTP::uri]." HTTP::header insert HttpsIndicatorHeader True HTTP::respond 301 "Location" "https://www.mywebsite.com/my/website/mywebsite-com" event disable } "/redirect.nsf*" - "/icons*" - "/internet*" - "/admin*" - "/login*" - "/intranet*" - { log local0. "Redirecting based on section 2. Host:[HTTP::host] - URI: [HTTP::uri]." This section prints the active members in the Pool1 to the logs if this section of the irule is invoked. set thispool "Pool1" foreach { pmem } [members -list $thispool] { log local0. "$thispool - [getfield $pmem " " 1] [LB::status pool $thispool member [getfield $pmem " " 1] [getfield $pmem " " 2]]" } This next section states that if there are more than 0 pool members are active in the Pool1 then the user is redirected there, else they are presented a Maintenance Page. if { [active_members Pool1] > 0 } { log local0. "Sending to Pool1." pool Pool1 HTTP::header insert HttpsIndicatorHeader True } else { log local0. "Sending to MX Page for Pool1." HTTP::respond 503 content [ifile get "/external/mywebsite_MaintenancePage_ifile"] noserver "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate" return } } "*/hrp/*" { log local0. "Redirecting based on hrp. Host: [HTTP::host] - URI: [HTTP::uri]." This section prints the active members in the Pool2 to the logs if this section of the irule is invoked. set thispool "Pool2" foreach { pmem } [members -list $thispool] { log local0. "$thispool - [getfield $pmem " " 1] [LB::status pool $thispool member [getfield $pmem " " 1] [getfield $pmem " " 2]]" } This next section states that if there are more than 0 pool members are active in the Pool2 then the user is redirected there, else they are presented a Maintenance Page. if { [active_members Pool2] > 0 } { log local0. "Sending to Pool2." pool Pool2 HTTP::header insert HttpsIndicatorHeader True } else { log local0. "Sending to MX Page for the Pool2." HTTP::respond 503 content [ifile get "/external/mywebsite_MaintenancePage_ifile"] noserver "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate" return } } "*/netss" { log local0. "Redirecting based on /netss. Host: [HTTP::host] - URI: [HTTP::uri]." This section prints the active members in the Pool3 to the logs if this section of the irule is invoked. set thispool "Pool3" foreach { pmem } [members -list $thispool] { log local0. "$thispool - [getfield $pmem " " 1] [LB::status pool $thispool member [getfield $pmem " " 1] [getfield $pmem " " 2]]" } This next section states that if there are more than 0 pool members are active in the Pool3 then the user is redirected there, else they are presented a Maintenance Page. if { [active_members Pool3] > 0 } { log local0. "Sending to Pool3." pool Pool3 HTTP::header insert HttpsIndicatorHeader True } else { log local0. "Sending to MX Page for the Pool3." HTTP::respond 503 content [ifile get "/external/mywebsite_MaintenancePage_ifile"] noserver "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate" return } } default { log local0. "Redirecting based on default. Host: [HTTP::host] - URI: [HTTP::uri]." This section prints the active members in the mywebsite.com_pool to the logs if this section of the irule is invoked. set thispool "mywebsite.com_pool" foreach { pmem } [members -list $thispool] { log local0. "$thispool - [getfield $pmem " " 1] [LB::status pool $thispool member [getfield $pmem " " 1] [getfield $pmem " " 2]]" } This next section states that if there are more than 0 pool members are active in the mywebsite.com_pool then the user is redirected there, else they are presented a Maintenance Page. if { [active_members mywebsite.com_pool] > 0 } { log local0. "Sending to the mywebsite.com_pool." pool mywebsite.com_pool HTTP::header insert HttpsIndicatorHeader True } else { log local0. "Sending to MX Page for the mywebsite.com_pool." HTTP::respond 503 content [ifile get "/external/mywebsite_MaintenancePage_ifile"] noserver "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate" return } } } } } }
Stanislas_Piro2Cumulonimbus
Like 9 : the opening curly bracket must be removed..
Like 11 : a switch command is missing :
switch -glob [string tolower [HTTP::uri]] {Line 17 : useless command (insert a http header in request to server) as next command is a respond to client
Line 19 : why do you want an attacker to be allowed to bypass this irule or any other irule attached to the virtual server for next http requests within the current tcp connection? If you want to exit the current irule, use “
” commandreturn...