For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Adi82_183873's avatar
Adi82_183873
Icon for Nimbostratus rankNimbostratus
Jan 23, 2015

iRule and data group not matching properly

Hi all, We have the following devices: 2 BIG-IPs version is version 11.4.1. HA enabled. Network topology is : Akamai --- BIG-IP --- WAF --- Servers HTTP The issue is : 1) We have several...
application delivery
devops
iRules
StephanManthey's avatar
StephanManthey
Icon for Nacreous rankNacreous
Jan 24, 2015

Hi Adi82,

here is a sample iRule to return a 503: 
when RULE_INIT {
     Logging/classification (on=1|off=0)
    set static::http_debug              1
    set static::error_code_version      "503"
    set static::error_page_version      "Error 505HTTP - Service Unavailable"
    set static::error_server            "Webserver"
}

when HTTP_REQUEST {
    if {  } {
        if { $static::http_debug > 0 } {
            log local0. "Returned 503 (Service Unavailable) - <[IP::client_addr]:[TCP::client_port]>"
        }
        HTTP::respond $static::error_code_version content $static::error_page_version noserver Server $static::error_server Connection close
        return
    }
}

Just put in the condition you want, please.

Regarding the question about new log messages on the Apache:

It is very likely due to using keep-alive connection and maybe OneConnect.

A changed iRule will affect new connections only. Existing connections (HTTP keep-alive) will still be handled according to the iRule applied while the TCP connection end-to-end was established.

It would be an alternative to put all logic into a single iRule and to modify a global variable to switch between policies.

Thanks, Stephan