Forum Discussion
Vince_Beltz_959
Nimbostratus
NimbostratusDrop Doesn't
I've implemented the following iRule to filter out certain user agents from connecting to our servers. Testing with Firefox and the Modify Headers add-on, it seems to work - I get a disconnected message instead of a page when I add one of the filtered strings to my User-Agent field.
However, the guys running the servers have been testing with packet capture, and claim they're still seeing the connection attempts come through. The whole point of this is that we're trying to prevent these connections from hitting the servers at all. Is the drop/event disable/return not the best way to do this?
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::header "User-Agent"]] {
"*torrent*" -
"*azureus*" -
"*windows-media-player*" -
"*microsoft-webdav-miniredir*" {
drop
event disable
return }
}
HTTP::redirect http://targetsite.tld
}
19 Replies
hoolioCirrostratus
Can you try testing from the LTM command line using curl? Here is an example:
curl -v http://VIP_IP/uri -H "User-Agent: Azureus"
Thanks,
Aaron
Vince_Beltz_959Here's what I got, still waiting to see if it eventually times out or just keeps hanging at the end of this (edit: it didn't, 10min later I just ctrl-C'ed out):
[root@nap01gb01-1:Active] log curl -v http://67.63.55.3 -H "User-Agent: Azureus"
* About to connect() to 67.63.55.3:80
* Connected to 67.63.55.3 (67.63.55.3) port 80
> GET / HTTP/1.1
Host: 67.63.55.3
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
User-Agent: Azureus- hoolioIf there isn't a response to requests which should be closed, I'd say it looks like the TCP::close command is working.
Aaron - Vince_Beltz_959But that doesn't agree with the client packet capture, or the guys running the servers in the pool this iRule (eventually) redirects to - both show that server connections are still being established. The reason this rule was written is to prevent those server connections, so even though the client sees nothing, the rule isn't stopping the traffic it was intended to.
- hoolioIt might end up being easier if you're able to capture tcpdumps on the client and server side VLANs along with LTM log output from the iRule and then open a case with F5 Support. They'll be able to inspect the full traces and tell you how this should/could work. It might save you time in the troubleshooting process.
If I have a chance to test this, I'll reply with any relevant info I come up with.
Aaron - Vince_Beltz_959Opened up a ticket with them yesterday, they're seeing the same behavior, will update - thanks for the suggestions so far. :-)
- Vince_Beltz_959Just an update (thanks for all your suggestions so far, Hoolio). I happen to be in an F5 iRule training this week, and rewrote the first part of the rule. In the process, I've pinned down the weirdness. The following rule *partially* works, when tested with the User-Agent value "Azureus" (note upper-case "A") - instead of the full target redirect page, a "connection reset" page is displayed on the client, the redirect URL is shown in the address bar, and client tcpdump shows a server connection being established.
when RULE_INIT {
set ::uablock [list torrent azureus windows-media-player microsoft-webdav-miniredir ""]
}
when HTTP_REQUEST {
if { [matchclass [HTTP::header value "User-Agent"] contains $::uablock] } {
TCP::close
}
else {
HTTP::redirect http://domainnotfound.optimum.net/cablevassist/dnsassist/main/?domain=[HTTP::host]
}
}
Since without a string tolower operation "Azureus" shouldn't match "azureus", I don't know why the full normal redirect isn't happening. Adding a string tolower function to the matchclass results in the exact same TCP::close doing what I want, dropping the connection immediately and completely.
when RULE_INIT {
set ::uablock [list torrent azureus windows-media-player microsoft-webdav-miniredir ""]
}
when HTTP_REQUEST {
if { [matchclass [string tolower [HTTP::header value "User-Agent"] ] contains $::uablock] } {
TCP::close
}
else {
HTTP::redirect http://domainnotfound.optimum.net/cablevassist/dnsassist/main/?domain=[HTTP::host]
}
}
The other issue is that in order to easily apply the User-Agent filtering function to multiple VIPs using different redirects, I'd like to split these items into two separate iRules attached to the same VIP. Unfortunately, even with string tolower, this also triggers the TCP::close partial redirect behavior.
Rule 1
when RULE_INIT {
set ::uablock [list torrent azureus windows-media-player microsoft-webdav-miniredir ""]
}
when HTTP_REQUEST priority 500 {
if { [matchclass [string tolower [HTTP::header value "User-Agent"] ] contains $::uablock] } {
TCP::close
}
}
And this:
Rule 2
when HTTP_REQUEST priority 1000 {
HTTP::redirect http://domainnotfound.optimum.net/cablevassist/dnsassist/main/?domain=[HTTP::host]
} - Vince_Beltz_959In still-further weirdness, it appears that the mere absence of the string tolower function triggers the partial redirect behavior of TCP::close (without it, both "Azureus" and "azureus", as well as "Torrent" and "torrent", etc., trigger the partial redirect). Some kind of timing issue getting triggered? Curiouser and curiouser.
- Vince_Beltz_959Last note for the afternoon - adding "event disable all" after the TCP:close allows this to be broken into two rules the way I wanted it to be, so my problem is effectively solved (though removing string tolower still mysteriously breaks it). Thanks again, Hoolio.
