Forum Discussion
NimbostratusHave an I-Rule from an old 9.X platform that is not working on 11.4.1 Causing connecteion reset errors. Any idea's ??/
when RULE_INIT { set sec_http_methods [list "CONNECT" "DELETE" "DEBUG" "TRACE"]
Create a list of the response headers to preserve. This needs to be tailored to the application! set ::headers_to_hide [list "Server" "X-Powered-By" "X-AspNet-Version" "refresh" "Content-Location" ]
set sec_http_versions [list "1.0" "1.1" ] }
when HTTP_REQUEST {
block unknown HTTP versions
if { ! [class match [HTTP::version] equals $::sec_http_versions ] } {
log local0. [concat "Invalid HTTP version: " [HTTP::version] [HTTP::uri]]
reject
}
block unwanted HTTP commands
if { [class match [HTTP::method] equals $::sec_http_methods] } {
log local0. [concat "Invalid HTTP method : " [HTTP::method] [HTTP::uri]]
reject
}
block large POST data over 100MB (Increased to 200MB for iRebal Files in WCF 2_7_13)
if { [HTTP::method] equals "POST" } {
if { [expr [HTTP::header "Content-Length"] > 209700000] } {
log local0. [concat "Invalid HTTP POST Length: " [HTTP::header "Content-Length"] [HTTP::uri]]
reject
}
}
block large QueryStrings
[HTTP::query]
block path traversal
set file [regexp -inline {filename=(.+)} [HTTP::uri] ]
if { ($file starts_with "/") or ($file starts_with "../") } {
log local0. [concat "Invalid Path Traversal: " file [HTTP::uri]]
reject
}
block unwanted extensions
switch -glob [string tolower [HTTP::uri]] {
*_vti_bin* -
*/msi* -
*authuser* -
*.bas* -
*.bs* -
*.bat* -
*.cfm* -
*.cgi* -
*cgi*bin* -
*.cmd* -
*.dat* -
*.dbm* -
*.dll* -
*__dopostback* -
*htaccess* -
*.htc* -
*.htr* -
*.ida* -
*.idc* -
*.idq* -
*.idx* -
*.inc* -
*.ini* -
*.java* -
*.jsp* -
*.mdb* -
*.mov* -
*.nasl* -
*.nsf* -
*passwd* -
*pwds* -
*.php* -
*.php3* -
*.php4* -
*.pl* -
*.print* -
*readme* -
*.sql* -
*.stm* -
*.tpl* {
log local0. "Invalid Extension : [HTTP::uri]"
reject;
set error_page "Website Notice:
You have attempted to access a resource that has been been blacklisted from our servers. If you are using the Secure Exchange application or the Document Vault, please change the name of the resource and/or the file extension."
HTTP::respond 404 content $error_page
}
}
}
Seeing the following in the logs of the LTM...Fri May 9 13:37:58 CDT 2014 err DMZ-MD-LTM01 tmm[9898] 01220001 TCL error: /Common/security_helper - Could not find class 1.0 1.1 (line 2) invoked from within "class match [HTTP::version] equals $::sec_http_versions "
5 Replies
Henrik_GyllkranThat could have been easier to read. Regardless, the first thing I noticed is that you call on classes as global variables and I think that is at least deprecated if not illegal nowadays so remove the $:: in front of the class names.
- Henrik_Gyllkran
Oh, and in fact, avoid global variables altogether, so since headers_to_hide doesn't seem to be in use I would delete that line altogether.
Richard_Schmit_Henrik, Thankyou very much for looking this over. I apologize for the layout. I saw when I pasted it that it bunched it all together, but wasn't sure how to make the carriage returns etc. work. Anyway, I will try these suggestions and see if that works. I don't do much with the actual scripting of the rules....but for the two places where $:: are used....with sec_http_versions and methods, can those still be used as is....just leaving the $:: off ???
- Yeah, if you remove those it will be according to the current syntax for the class command.
spaceage53_8664The problem with the iRule is that is calling Big pipe commands/syntax. That is legacy from the 9.x code that you were running. In 11.4 with TMOS it will reject those commands and kill the iRule. You will have to remove and replace that old syntax with the current syntax for TMOS/tmsh if you want that same rule to work. There are not a lot of changes as iRule are based on TCL but there are a few and they can trip you up. Henrik did a good job of pointing out a few of them in your code. I would recommend looking for a new iRule that does the same thing that this one does. There are plenty here on DevCentral that may even do it a bit better.
