HTTP::Respond not working with reject

Question

Guys
I have exhausted all options and done all hit and trial but could not make it work so coming to you guys
I have an irule that triggers when a HTTP Request comes in the form of xml packet. I am using data group for accept/reject decision. The issue is:
1. If i use "reject" in HTTP_RESPONSE with a F5 http response html splash page, it sends the message to the browser saying "the transaction has been denied" to end user but as the "reject" is used in the HTTP_RESPONSE event, the transaction still goes through via "HTTP_REQUEST_DATA" so clearly not what i want to achieve.
2. If i use "reject" in HTTP_REQUEST_DATA, the transaction is denied as expected but the splash page didnt work. I have tried to use "drop", "discard", "HTTP_CLOSE" but nothing works. &nbsp;
Hoping for some expert advise here... IRULE below..&nbsp;

khurram_cissp_c · Answer

The specific irule parts are below
when RULE_INIT 
{
Log debug to /var/log/ltm? 1=yes, 0=no
set static::debug 0

}
when HTTP_REQUEST 
{
 Collect up to the first 1MB of POST data
log local0. "Checking post method [HTTP::method] uri: [HTTP::uri] http_version: [HTTP::version] IP: [IP::client_addr]"
log local0. "Headers: [HTTP::request]"
    if {[HTTP::method] eq "POST"}
    {
     Check if there is a content-length header and the value is set to less than 1Mb
    if {[HTTP::header exists "Content-Length"] &amp;&amp; [HTTP::header "Content-Length"] &lt;= 10048576}
    {
        set clength [HTTP::header "Content-Length"]
    } else 
    {
        set clength 10048576
    }
    log local0. "Checking content length $clength IP: [IP::client_addr]"
    if { $clength &gt; 0} 
    {
        if {$static::debug}{log local0. "[virtual name]: Collecting $clength bytes IP: [IP::client_addr]"}
        HTTP::collect [HTTP::header "Content-Length"]
    }
}

}
when HTTP_REQUEST_DATA
{
incoming data
log local0. "$[HTTP::payload]"
set vendoridincoming [findstr [HTTP::payload] "BuyerCookie" 12 100]
log local0. "Vendorid from live  incoming request is $vendoridincoming"
Save a class name to search through
set class_name Vendorlist
log local0. "$class_name"
set success 0
Save a search ID for the datagroup
set id [class startsearch $class_name]
log local0. "$id"
set vendorlistsize 0
log local0. "$vendorlistsize"
Loop through the class row by row
while {[class anymore $class_name $id]}
    {
      set element [class nextelement $class_name $id]
      log local0. "[class nextelement $class_name $id]: $element"
      set vendorid [class element -name $vendorlistsize $class_name]
      set vendorsharedsecret [class element -value $vendorlistsize $class_name]
      log local0. "vendorid at position $vendorlistsize is $vendorid"
      log local0. "vendorsharedsecret at position $vendorlistsize is $vendorsharedsecret"
      if {$vendoridincoming contains $vendorid}
           {
           log local0. "Incoming Vendor id matched with $vendorid"
           if {[HTTP::payload] contains $vendorsharedsecret}
               {
               log local0. "Incoming Vendor Shared Secret matched with $vendorsharedsecret"
               set success 1
               break
               }
            }
      incr vendorlistsize
      unset vendorid
      unset vendorsharedsecret
    }
Clean up the search
class donesearch $class_name $id
if {$success==1}
{
reject
HTTP::respond 200 content {

Access Denied

You have attempted an authorised access to this site
            Your attempt has been logged and may be prosecuted.

}
   }
}
when HTTP_RESPONSE 
{
log local0. "In http response"
log local0. "succes at start of http response is $success"
if {$success == 1}{
log local0. "Vendor matched"
log local0. "succes at if success is $success"
}
else
{
log local0. "Vendor Shared Secret not matched"
log local0. "succes at else failure response is $success"
HTTP::respond 200 content {

Access Denied

You have attempted an authorised access to this site
            Your attempt has been logged and may be prosecuted.

}
   reject
}
}

khurram_cissp_c · Answer

As you can see above, i have used reject in both "HTTP_REQUEST_DATA" and "HTTP_RESPONSE. what this does right now is:&nbsp;
Reject the transaction as expected (from the reject in HTTP_REQUEST_DATA)will not display the splash page from HTTP_REQUEST_DATAwill terminate the irule and not even go into HTTP_RESPONSE event so the splash page is never sent back
So the logical outcome works, the cosmetics around sending a splash page for user experience didnnt&nbsp;

khurram_cissp_c · Answer

Just an FYI guys that i have solved the issue using TCP::close&nbsp;

Forum Discussion

HTTP::Respond not working with reject

Recent Discussions

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Need Urgent BIGIP Trial License and VM Image

APM for banner and cert

How to Renew F5 Device Certificate

UCS backup not loading Big IP DNS pool

Related Content

Change cookie domain in HTTP::respond

Gzip content when using HTTP::respond

detect prior http redirect or respond

Trouble redirecting on APM rejection.

irule reject request when payload field is null

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS