iRule disable ASM and close TCP connection

Question

I'm referring to example 1 on https://devcentral.f5.com/wiki/irules.asm__disable.ashx 
This lets me disable ASM when a certain condition, e.g. a HTTP::path matches. But the documentation also states, that ASM is then disabled for the "duration of the TCP connection or until ASM::enable is called." The problem with the latter is, it doesn't allow me to use this in a generic iRule which is reusable among virtualservers with different policies.
Closing the TCP connection does not work as expected (hence its currently commented).
The iRule looks the following and sends Letsencrypt ACME challenge requests to a certain pool:
when HTTP_REQUEST { 
if { [HTTP::path] contains "/.well-known/acme-challenge/" } { 
    ASM::disable
    pool acme_pool
     TCP::close
    event disable all
  }
}

This iRule lets an attacker bypass ASM if he starts the first request to the known path. How can I make sure ASM is only disabled for the challenge requests but enabled for everything else without knowning the policy name?

youssef1 · Answer

Hi,&nbsp;
I strongly advise you to use the LTM policy function to disable asm for specific path. it's easier to use, more optimized and more secure. let me explain.&nbsp;
Every request are evaluate unlike irule that manages access by connection (each request it's like a new connection):&nbsp;
for more info:&nbsp;
https://devcentral.f5.com/questions/advantages-of-local-traffic-policies-vs-irules&nbsp;
So you can achieve your need using ltm POLICIES: Local Traffic  ››  Policies : Policy List&nbsp;
let me know if you need more details.&nbsp;
regards,&nbsp;

kai_wilke · Answer

Hi Lopf,

But the documentation also states, that ASM is then disabled for the "duration of the TCP connection or until ASM::enable is called."

You can pretty much ignore the (slightly outdated) documentation. The mentioned statement was true at the time HTTP-Class was used to assign ASM Policies.
Since v11.4 LTM Policies are used to enable an assign a given ASM Policy. The LTM Policies are operating on a per-request level and therefor revert your ASM::disable command and reselect the default ASM Policy on the very next request of the same underlying TCP connection.
when HTTP_REQUEST { 
    if { [HTTP::path] contains "/.well-known/acme-challenge/" } { 
        ASM::disable
    } else {
         You don't have to care about re-enabling ASM. Your LTM Policy already did that...
    }
}

Cheers, Kai

Forum Discussion

iRule disable ASM and close TCP connection

Recent Discussions

How to export a list of paired external service providers from APM?

How to Renew F5 Device Certificate

BIG IP LTM - Multiple application on single VIP with multiple ports allowed.

Service discovery is not happening in AS3

Statistics ›› Analytics : HTTP : Overview

Related Content

iRules: Disabling Event Processing

Advanced iRules: Sideband Connections

iRules LX Sideband Connection

Site-to-Site Connectivity in F5 Distributed Cloud Network Connect – Reference Architecture

iRules LX Sideband Connection - Handling timeouts

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS