Forum Discussion
iRule that triggers a capture of the HTTP request before rejecting
I'm using the following iRule to block an attack coming from an IP that is behind a proxy; however we can still see the original in the XFF header. So far this iRule is working but would like to trigger a capture to better build a policy in ASM to block. Is there a way to trigger a method to capture and log the full request when we get a match and send the 410?
Note:Credit to hoolio https://devcentral.f5.com/questions/using-x-forwarded-for-to-block-clients
when HTTP_REQUEST {
if {[HTTP::header "X-Forwarded-For"] ne ""}{
log local0. "XFF: [HTTP::header "X-Forwarded-For"]"
foreach xff [split [string map [list " " ""] [HTTP::header "X-Forwarded-For"]] ","] {
log local0. "Current XFF element: $xff"
if {[IP::addr $xff equals 1.2.3.4]}{
log local0. "Sending 410 for $xff"
HTTP::respond 410
break
}
}
}
}
- rob_carrCirrocumulus
Why not let the request go through to ASM, block it there where you can log all illegal requests, then intercept the blocking response and re-write it to a 410?
- Stanislas_Piro2Cumulonimbus
Hi,
You can log output from command :
[HTTP::request]
This command returns the whole request!
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com