I have an iRule on an HTTPS virtual server that uses HTTP::respond. When I make a request to this virtual server that hits the iRule I get an SSL error. Do I have to do anything extra to get the response generated by HTTP::respond to be encrypted? when HTTP_REQUEST { set allowed {PUT POST GET DELETE} if { [lsearch $allowed [HTTP::method]] < 0 } { log local0. "HTTP [HTTP::method] REJECTED!" HTTP::respond 405 content "Method not allowed" } } What I'm seeing from curl * SSLRead() return error -9806 * Closing connection 0 curl: (56) SSLRead() return error -9806

Do you have an HTTP profile applied to the VIP? Do you have a client SSL profile applied to the VIP?

Yes, sorry I forgot to mention that. Yes to both. If I make a request that doesn't trigger the iRule the response comes back fine.

Do you have you aren't showing us AFTER the HTTP::respond? Try adding in return immediately after HTTP::respond and see if that fixes things.

@Kevin - sorry, by "trigger" I meant a request that enters the if. The rule is in fact being run for all requests. @IheartF5 - I don't follow why return would help in this case.

HTTP::respond over SSL

when HTTP_REQUEST { set allowed {PUT POST GET DELETE} if { [lsearch $allowed [HTTP::method]] < 0 } { log local0. "HTTP [HTTP::method] REJECTED!" HTTP::respond 405 content "Method not allowed" } }

13 Replies

Kevin_Stewart
Employee
Oct 01, 2015
Do you have an HTTP profile applied to the VIP? Do you have a client SSL profile applied to the VIP?
Adam_Burnett_18
Nimbostratus
Oct 01, 2015
Yes, sorry I forgot to mention that. Yes to both. If I make a request that doesn't trigger the iRule the response comes back fine.

Kevin_Stewart

Employee

Oct 01, 2015

The iRule should always being triggered for HTTP requests. Try adding some logging.

when HTTP_REQUEST {
    log local0. "here: [HTTP::method]"

    set allowed {PUT POST GET DELETE}
    if { [lsearch $allowed [HTTP::method]] < 0 } {
        log local0. "HTTP [HTTP::method] REJECTED!"
        HTTP::respond 405 content "Method not allowed"
    }
}

IheartF5_45022
Nacreous
Oct 02, 2015
Do you have you aren't showing us AFTER the HTTP::respond? Try adding in return immediately after HTTP::respond and see if that fixes things.
Adam_Burnett_18
Nimbostratus
Oct 02, 2015
@Kevin - sorry, by "trigger" I meant a request that enters the
if
. The rule is in fact being run for all requests.

@IheartF5 - I don't follow why return would help in this case.
- IheartF5_45022
  Nacreous
  Oct 02, 2015
  because you can't execute any other iRule commands after HTTP::respond - they will all fail. You need to cease iRule processing for that event, either by using *return* or *event disable*.
- Adam_Burnett_18
  Nimbostratus
  Oct 03, 2015
  Thanks for the explanation, makes sense.
Kevin_Stewart
Employee
Oct 02, 2015
Have you checked the LTM log (/var/log/ltm)? If there's an issue with the iRule logic, it'll usually log an error.
Adam_Burnett_18
Nimbostratus
Oct 02, 2015
Took another look in there. Turns out adding my rule above was causing an
HTTP::header insert
in another rule further down the line to fail. All is well now. Thanks!
Brad_Parker
Cirrus
Oct 02, 2015
Rather than setting a variable with every request why not use a data group containing your allowed verbs with something like this?

when HTTP_REQUEST { if { not ([class match [HTTP::method] equals allowed_verbs]) } { HTTP::respond 405 noserver } }
- Adam_Burnett_18
  Nimbostratus
  Oct 03, 2015
  No reason other than my being new to the platform. Thanks for the suggestion.
Brad_Parker_139
Nacreous
Oct 02, 2015
Rather than setting a variable with every request why not use a data group containing your allowed verbs with something like this?

when HTTP_REQUEST { if { not ([class match [HTTP::method] equals allowed_verbs]) } { HTTP::respond 405 noserver } }
- Adam_Burnett_18
  Nimbostratus
  Oct 03, 2015
  No reason other than my being new to the platform. Thanks for the suggestion.