For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Erik_27939's avatar
Erik_27939
Icon for Nimbostratus rankNimbostratus
Oct 14, 2013

Drop single request based on header value

We are trying to setup an iRule that will drop a request that has a matching IP in a datagroup. In this scenario, the connections are persistent so all of the HTTP requests are coming down the same connection. We want to drop the request, NOT the connection. Is the below correct for this scenario?

when HTTP_REQUEST {
      if { [HTTP::header exists "True-Client-IP"] and not ([string equal [HTTP::header "True-Client-IP"] "127.0.0.1"]) } {
            set trueIP [HTTP::header "True-Client-IP"]
      } else {
            set trueIP [IP::client_addr]
      }

      if { [class match $trueIP equals block_list] } {
        HSL::send [HSL::open -proto UDP -pool corp_pool_accelops_syslog] "DSA_BLOCK: Rejecting connection from $trueIP based on matching entry in block_list..."
        discard
    }
}
application delivery
devops
iRules

1 Reply

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 14, 2013

    Yours should work, but here's a minor modification:

    when HTTP_REQUEST {
    if { ( [HTTP::header exists True-Client-IP] ) and not ( [HTTP::header True-Client-IP] equals "127.0.0.1" ) } {
        set trueIP [HTTP::header True-Client-IP]
    } else {
        set trueIP [IP::client_addr]
    }
    if { [class match $trueIP equals block_list] } {
        discard
    }
}

    You're allowing the client, or perhaps an upstream proxy, to set a header (True-Client-IP). If that header exists, use it in the class match, otherwise use the client's IPas seen by the F5. If a match is found, discard the request. Is that your intention?