Forum Discussion

Lucas_Kaczmars1's avatar
Lucas_Kaczmars1
Icon for Altostratus rankAltostratus
May 20, 2019

irule - stop processing on condition match

Hello,

I searched for this answer and I've found that using 'event disable all' should exit processing the irule below, but it still goes to the second 'if' statements and evaluates it. Can someone please let me know what's the correct way to exit processing the irule on first condition match and where should 'event disable' be located below? 

when HTTP_REQUEST {

if { (([string tolower [HTTP::host]] eq "test.website.com") and ([string tolower [HTTP::path]] starts_with "/authentication")) } {
  log local0. "Accepted request test.website.com/authentication [HTTP::uri] for client [IP::client_addr]"
  }

if { (([string tolower [HTTP::host]] eq "test.website.com")) } 
{
  log local0. "Rejected request test.website.com [HTTP::uri] for client [IP::client_addr]"
  reject
  }
}
iRules
LTM
Security
  • Lee_Sutcliffe's avatar
    Lee_Sutcliffe
    May 20, 2019

    You could rewrite the iRule using nested 'if' statements so you don't need a return, that way, you only check the host header once

    when HTTP_REQUEST {
    if {[string tolower [HTTP::host]] eq "test.website.com"} {
        if {[string tolower [HTTP::path]] starts_with "/authentication"} {
            log local0. "Accepted request test.website.com/authentication [HTTP::uri] for client [IP::client_addr]"
        } else {
            log local0. "Rejected request test.website.com [HTTP::uri] for client [IP::client_addr]"
            reject
        }
    }
}
  • Lee_Sutcliffe's avatar
    Lee_Sutcliffe
    Icon for Nacreous rankNacreous
    May 20, 2019

    You could rewrite the iRule using nested 'if' statements so you don't need a return, that way, you only check the host header once

    when HTTP_REQUEST {
    if {[string tolower [HTTP::host]] eq "test.website.com"} {
        if {[string tolower [HTTP::path]] starts_with "/authentication"} {
            log local0. "Accepted request test.website.com/authentication [HTTP::uri] for client [IP::client_addr]"
        } else {
            log local0. "Rejected request test.website.com [HTTP::uri] for client [IP::client_addr]"
            reject
        }
    }
}
  • Lee_Sutcliffe's avatar
    Lee_Sutcliffe
    Icon for Nacreous rankNacreous
    May 20, 2019

    If you only have one iRule applied to the virtual server and you just want to stop processing the iRule. you can use

    'return'

     

    However you do not need the first 'if' condition as you are not doing anything once the 'if' block is evaluated.

    You can just use the second 'if' condition

  • Lucas_Kaczmars1's avatar
    Lucas_Kaczmars1
    Icon for Altostratus rankAltostratus
    May 20, 2019

    Hi Lee,

    Thanks for your reply. My goal is to allow everyone asking for test.website.com/authentication and deny everybody else asking for test.website.com. Is this the way to do it using 'return'? I want to be able to log requests for test.website.com/authentication so can I still keep the first 'if' statement? 

    when HTTP_REQUEST {
 
if { (([string tolower [HTTP::host]] eq "test.website.com") and ([string tolower [HTTP::path]] starts_with "/authentication")) } {
  log local0. "Accepted request test.website.com/authentication [HTTP::uri] for client [IP::client_addr]"
 return
  }
 
if { (([string tolower [HTTP::host]] eq "test.website.com")) } 
{
  log local0. "Rejected request test.website.com [HTTP::uri] for client [IP::client_addr]"
  reject
  }
}