For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

karthik_sriniva's avatar
karthik_sriniva
Icon for Nimbostratus rankNimbostratus
Nov 30, 2005

iRule return not working

I have the following iRule

 

 

when HTTP_REQUEST_SEND {

 

if ( <> } {

 

return

 

}

 

}

 

 

I want to present the request from getting to the backend server. But the return is not working. The request goes to the backend server.

 

 

Is thereway to prevent it

 

 

Thanks,

 

Karthik
application delivery
dev
devops
iRules

3 Replies

  • rapmaster_c_127's avatar
    rapmaster_c_127
    Historic F5 Account
    Nov 30, 2005
    Well, rules are generally non-terminating with respect to the context of the connection, unless you explicitly stop the state-engine or divert it to another state - neither of which you have done here in your rule. Returning above just terminates the rule in this event handler and continues to the next state.

     

     

    What would you have the rule do? Do you want to respond to the client? If so, use HTTP::respond. Would you like to close the connection? If so, use HTTP::close. Basically, tell the BIG-IP what you would like to do. Simply returning from the rule will make it continue on, as if you had any other non-terminating statement in there (e.g. log).
  • karthik_sriniva's avatar
    karthik_sriniva
    Icon for Nimbostratus rankNimbostratus
    Nov 30, 2005
    Thanks for your quick response.

     

     

    I have custom authentication implementation with LDAP. When Authentication fails, I am setting one of the rule variable to a particular value in AUTH_FAILURE, so in the HTTP_RESPONSE event I can redirect the user to particular page.

     

    This works, but the request goes to the backend server and the backend server is expecting the authentication credentials which is not set so an exception thrown. My understanding is, HTTP_REQUEST_SEND is the event which contacts the backend server for data. So I was wondering if I check the variable value in HTTP_REQUEST_SEND and if it's equal to the value set in AUTH_FAILURE event, I am trying to return out of this event, so BigIp will exit out of the HTTP_REQUEST_SEND with out contacting the backend server. But for some reason it does not exit with out connecting to the backend server.

     

     

    Is there a way to make it return out of HTTP_REQUEST_SEND with out making the backend connection?

     

  • unRuleY_95363's avatar
    unRuleY_95363
    Historic F5 Account
    Dec 06, 2005
    You need to actually generate a response to the client though. This is what HTTP::respond would do. The "return" command simply finishes the rule processing, it doesn't actually do anything else. That is why rapmaster_c was recommending you to use something like: reject or HTTP::respond or HTTP::redirect. Those are actions that will cause the connection to the client to be completed and closed or reset.