Forum Discussion

pwallace_110041's avatar
pwallace_110041
Icon for Nimbostratus rankNimbostratus
Jan 30, 2015

iRule that drops only vpn connections

The following iRule sends only RST to clients that connect via vpn but all other users get 301 redirect then the connection close.

 

Running BIG-IP 10.2.3 Build 123.110 Engineering Hotfix HF1

 

when HTTP_REQUEST { if { [HTTP::method] eq "GET" or [HTTP::uri] starts_with "/cx/facebook/" } { set url https://[getfield [HTTP::host] ":" 1][HTTP::uri] HTTP::respond 301 noserver "Location" "$url" "Connection" "close" } else { HTTP::respond 405 content { SSL Required

 

you must use ssl to access this resource } noserver "Connection" "close" } }

 

  • Can you provide a little clarification for your questions? Are you saying this iRule does this, or are you looking for help making the iRule reject clients that come in via VPN?
  • The iRule currently rejects only VPN clients but don't want it to reject anyone but only redirect to https.

     

  • The iRule currently rejects only VPN clients but don't want it to reject anyone but only redirect to https.
  • If you change your iRule and remove the

    noserver
    from the responds, does it make a difference?

    when HTTP_REQUEST { 
        if { [HTTP::method] eq "GET" or [HTTP::uri] starts_with "/cx/facebook/" } { 
            set url "https://[getfield [HTTP::host] ":" 1][HTTP::uri]"
            HTTP::respond 301 "Location" "$url" "Connection" "close" 
        } else { 
            HTTP::respond 405 content { you must use ssl to access this resource } "Connection" "close" 
        }
    }
    
  • We took out all iRules that followed this rule from the vip and that kept the VPN connections from being closed.

     

    Still not sure why this would only affect vpn connections but we did get around this.

     

    • Michael_Jenkins's avatar
      Michael_Jenkins
      Icon for Cirrostratus rankCirrostratus
      Were your other iRules doing any dropping or redirecting in addition to this one? Also, you could add "event all disable" after the HTTP::respond in this iRule and see if that helps resolve the issue after adding the other iRules back on?