Forum Discussion
Adam_Burnett_18
Nimbostratus
NimbostratusHTTP::respond over SSL
I have an iRule on an HTTPS virtual server that uses HTTP::respond. When I make a request to this virtual server that hits the iRule I get an SSL error. Do I have to do anything extra to get the response generated by HTTP::respond to be encrypted?
when HTTP_REQUEST {
set allowed {PUT POST GET DELETE}
if { [lsearch $allowed [HTTP::method]] < 0 } {
log local0. "HTTP [HTTP::method] REJECTED!"
HTTP::respond 405 content "Method not allowed"
}
}
What I'm seeing from curl
* SSLRead() return error -9806
* Closing connection 0
curl: (56) SSLRead() return error -9806
- Kevin_Stewart
Employee
Do you have an HTTP profile applied to the VIP? Do you have a client SSL profile applied to the VIP?
Adam_Burnett_18Yes, sorry I forgot to mention that. Yes to both. If I make a request that doesn't trigger the iRule the response comes back fine.
- Kevin_Stewart
The iRule should always being triggered for HTTP requests. Try adding some logging.
when HTTP_REQUEST { log local0. "here: [HTTP::method]" set allowed {PUT POST GET DELETE} if { [lsearch $allowed [HTTP::method]] < 0 } { log local0. "HTTP [HTTP::method] REJECTED!" HTTP::respond 405 content "Method not allowed" } } 
IheartF5_45022Nacreous
Do you have you aren't showing us AFTER the HTTP::respond? Try adding in return immediately after HTTP::respond and see if that fixes things.
- Adam_Burnett_18
@Kevin - sorry, by "trigger" I meant a request that enters the
. The rule is in fact being run for all requests.if@IheartF5 - I don't follow why return would help in this case.
- IheartF5_45022because you can't execute any other iRule commands after HTTP::respond - they will all fail. You need to cease iRule processing for that event, either by using *return* or *event disable*.
- Adam_Burnett_18Thanks for the explanation, makes sense.
- Kevin_Stewart
Have you checked the LTM log (/var/log/ltm)? If there's an issue with the iRule logic, it'll usually log an error.
- Adam_Burnett_18
Took another look in there. Turns out adding my rule above was causing an
in another rule further down the line to fail. All is well now. Thanks!HTTP::header insert 
Brad_ParkerCirrus
Rather than setting a variable with every request why not use a data group containing your allowed verbs with something like this?
when HTTP_REQUEST { if { not ([class match [HTTP::method] equals allowed_verbs]) } { HTTP::respond 405 noserver } }- Adam_Burnett_18No reason other than my being new to the platform. Thanks for the suggestion.
Brad_Parker_139Rather than setting a variable with every request why not use a data group containing your allowed verbs with something like this?
when HTTP_REQUEST { if { not ([class match [HTTP::method] equals allowed_verbs]) } { HTTP::respond 405 noserver } }- Adam_Burnett_18No reason other than my being new to the platform. Thanks for the suggestion.
