Forum Discussion
Ronak_79648
Nimbostratus
NimbostratusHTTP Error 408 / 409 -- iRules from 4.x to 9.x
I have simple iRules in 4.x which allows login page for everyone over https. Login process puts the cookie to client and all other request needs to have cookie to access.
When I try to take same logic to 9.x the login page gives 408/409 error.
I am trying to
when HTTP_REQUEST {
set uri [HTTP::uri]
if {[HTTP::cookie exists "User-Name"] || $uri contains "index_out.html" || $uri contains "loginForm.jsp" || $uri ends_with "gif" } {
pool my_web
}
elseif {$uri contains "xyz"}{
HTTP::redirect "https://[HTTP::host]/index_out.html"
}
else {
HTTP::redirect "https://[HTTP::host]/index_out.html"
}
}
Any help?
Thanks
ronak
Juerg_WiesmannHi ronak
408 means Request Timeout
409 stands for conflict
use HTTP Watch or (HTTP Fox on Firefox) to see if you receive the correct headers.
login to BIG-IP using SSH and do a tail -f /var/log/ltm when using the underneeth iRule
the log local0. statements are very helpful for troubleshooting, but should be removed for live trafficwhen HTTP_REQUEST { if {[HTTP::cookie exists "User-Name"] }{ log local0. "Cookie-Is-there" if {[HTTP::uri] ends_with "index_out.html" }{ log local0. "URI is [HTTP::uri]" pool my_web } } elseif {[HTTP::uri] contains "xyz"}{ HTTP::redirect "https://[HTTP::host]/index_out.html" log local0. "Redirect1 is https://[HTTP::host]/index_out.html" } else { HTTP::redirect "https://[HTTP::host]/index_out.html" log local0. "Redirect2 is https://[HTTP::host]/index_out.html" } }
Ronak_79648thanks for prompt reply. the header looks like
DateMon, 05 Jan 2009 16:53:14 GMT
ServerApache/2.0.59 (Unix) DAV/2
Set-CookieJSESSIONID=KXNZGSRJFOT3WCQIZHRCF3Q; path=/
Keep-Alivetimeout=15, max=97
ConnectionKeep-Alive
Transfer-Encodingchunked
Content-Typetext/html
Request Headers
Host162.1.1.41
User-AgentMozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
Accepttext/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Languageen-us,en;q=0.5
Accept-Encodinggzip,deflate
Accept-CharsetISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive300
Connectionkeep-alive
Refererhttps://IP/index_out.html
Cookie__utma=78473748.155974282.1228761532.1228761532.1230664417.2; __utmz=78473748.1228761532.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); User-Name=Rshah@clarian.org
The Params
_DARGS/clarian/layoutTemplates/html/access/loginForm.jsp
The Response
Firebug needs to POST to the server to get this information for url:
https://IP/portal/intranet/home?_DARGS=/clarian/layoutTemplates/html/access/loginForm.jsp
This second POST can interfere with some sites. If you want to send the POST again, open a new tab in Firefox, use URL 'about:config', set boolean value 'extensions.firebug.allowDoublePost' to true
This value is reset every time you restart Firefox This problem will disappear when https://bugzilla.mozilla.org/show_bug.cgi?id=430155 is shipped.
this what i see in log
Jan 5 12:13:52 tmm tmm[1077]: Rule rule_my_access : URI is /index_out.html
Jan 5 12:13:52 tmm tmm[1077]: Rule rule_my_access : URI is /portal/layoutTemplates/css/npcssimg/pageBackground.gif
Jan 5 12:13:52 tmm tmm[1077]: Rule rule_my_access : URI is /portal/layoutTemplates/css/npcssimg/contentBackgroundFull.gif
Jan 5 12:13:52 tmm tmm[1077]: Rule rule_my_access : URI is /portal/layoutTemplates/images/newpulse/pulseLogo.gif
Jan 5 12:13:52 tmm tmm[1077]: Rule rule_my_access : URI is /portal/layoutTemplates/css/npcssimg/featureBackground.gif
Jan 5 12:14:11 tmm tmm[1077]: Rule rule_my_access : URI is /portal/intranet/home?_DARGS=/clarian/layoutTemplates/html/access/loginForm.jsp
Thank you.- Ronak_79648Also, here is how it works in 4.x
when user submits the form index_out.html server checks id password and after authentication success it sends user to success url and also sends cookie "User-Name". - Juerg_Wiesmann
when HTTP_REQUEST { if {[HTTP::cookie exists "User-Name"] }{ if {[HTTP::uri] ends_with "index_out.html" }{ log local0. "URI is [HTTP::uri]" pool my_web} if {[HTTP::uri] ends_with "loginForm.jsp" }{ pool my_web} if {[HTTP::uri] ends_with ".gif"}{ pool my_web} } elseif {[HTTP::uri] contains "xyz"}{ HTTP::redirect "https://[HTTP::host]/index_out.html" log local0. "Redirect1 is https://[HTTP::host]/index_out.html" } else { HTTP::redirect "https://[HTTP::host]/index_out.html" log local0. "Redirect2 is https://[HTTP::host]/index_out.html" } }
or you could usewhen HTTP_REQUEST { if {[HTTP::cookie exists "User-Name"] }{ if {[HTTP::uri] ends_with "index_out.html" or [HTTP::uri] ends_with "loginForm.jsp" or [HTTP::path] ends_with ".gif"} { log local0. "URI is [HTTP::uri]" pool my_web} } elseif {[HTTP::uri] contains "xyz"}{ HTTP::redirect "https://[HTTP::host]/index_out.html" log local0. "Redirect1 is https://[HTTP::host]/index_out.html" } else { HTTP::redirect "https://[HTTP::host]/index_out.html" log local0. "Redirect2 is https://[HTTP::host]/index_out.html" } }
or even simplerwhen HTTP_REQUEST { if {[HTTP::cookie exists "User-Name"] }{ if {[HTTP::uri] ends_with "index_out.html" or [HTTP::uri] ends_with "loginForm.jsp" or [HTTP::path] ends_with ".gif"} { pool my_web} } else { HTTP::redirect "https://[HTTP::host]/index_out.html" } } - Ronak_79648I think I am not explaining it right. The way code is suggested it will go in infinite re-direct loop as when client first request login page cookie is not there.
The way it needs to be is request for login page is always allowed. after successful authentication cookie is sent to client and all other request is allowed till cookie times out. - Juerg_WiesmannIn that case give it another try:
when HTTP_REQUEST { if {[HTTP::cookie exists "User-Name"] or [HTTP::uri] ends_with "index_out.html" or [HTTP::uri] ends_with "loginForm.jsp" or [HTTP::path] ends_with ".gif"} { log local0. "URI is [HTTP::uri]" pool pool_hackit} else { HTTP::redirect "https://[HTTP::host]/index_out.html"} } - Ronak_79648I tried this before i tried elseif. when i use if else stmt i get this error
01070151:3: Rule [rule_web_access] error:
line 6: [undefined procedure: else] [else {
HTTP::redirect "https://[HTTP::host]/index_out.html"
} ] - Juerg_WiesmannThis normally happens when a } missmatch exists.
Use the iruleEditor to write and verify the iRules.
The underneeth iRule is tested and works. (without errors)
"I think there was a space after pool pool_hackit} but shouldn´t"when HTTP_REQUEST { if {[HTTP::cookie exists "User-Name"] or [HTTP::uri] ends_with "index_out.html" or [HTTP::uri] ends_with "loginForm.jsp" or [HTTP::path] ends_with ".gif"} { pool pool_hackit} else {HTTP::redirect "https://[HTTP::host]/index_out.html"} } - Ronak_79648From where i can get iruleEditor? I added this -- the one you suggested earlier as if {[HTTP::cookie exists "User-Name"] }{
if {[HTTP::uri] ... would go in re-direct loop.
when HTTP_REQUEST {
if {[HTTP::uri] ends_with "index_out.html" or [HTTP::uri] ends_with "loginForm.jsp" or [HTTP::path] ends_with ".gif" or [HTTP::cookie exists "User-Name"] } {
log local0. "URI is [HTTP::uri]"
pool pool_pluse_web
} else {
HTTP::redirect "https://[HTTP::host]/index_out.html"
}
}
The log looks like this
Jan 5 17:02:21 tmm tmm[1077]: Rule rule_pulse_access : URI is /index_out.html
Jan 5 17:02:50 tmm tmm[1077]: Rule rule_pulse_access : URI is /portal/intranet/home?_DARGS=/clarian/layoutTemplates/html/access/loginForm.jsp
The result is same as before -- 409.
Thank you for your help. - You can get the iRule editor in the Labs section of DevCentral, here - Click here
The code you're trying looks fine, though, so I'm not sure where the 409 response is coming from. I might try adding some parenthesis to clear up the logic flow a bit, like this:when HTTP_REQUEST { if { ([HTTP::uri] ends_with "index_out.html") or ([HTTP::uri] ends_with "loginForm.jsp") or ([HTTP::path] ends_with ".gif") or ([HTTP::cookie exists "User-Name"]) } { log local0. "URI is [HTTP::uri]" pool pool_pluse_web } else { HTTP::redirect "https://[HTTP::host]/index_out.html" } }
I also noticed that you have "pluse" for a pool name in the iRule instead of "pulse", but that would throw a different error at compile if the pool name didn't match. Other than that though, it looks fine.
Colin
