Forum Discussion

jba3126's avatar
jba3126
Icon for Cirrus rankCirrus
Sep 19, 2017

iRule that triggers a capture of the HTTP request before rejecting

I'm using the following iRule to block an attack coming from an IP that is behind a proxy; however we can still see the original in the XFF header. So far this iRule is working but would like to trigger a capture to better build a policy in ASM to block. Is there a way to trigger a method to capture and log the full request when we get a match and send the 410?

Note:Credit to hoolio https://devcentral.f5.com/questions/using-x-forwarded-for-to-block-clients

when HTTP_REQUEST {

   if {[HTTP::header "X-Forwarded-For"] ne ""}{

      log local0. "XFF: [HTTP::header "X-Forwarded-For"]"

      foreach xff [split [string map [list " " ""] [HTTP::header "X-Forwarded-For"]] ","] {

     log local0. "Current XFF element: $xff"

     if {[IP::addr $xff equals 1.2.3.4]}{
            log local0. "Sending 410 for $xff"
            HTTP::respond 410
            break
         }
      }
   }
}
  • Why not let the request go through to ASM, block it there where you can log all illegal requests, then intercept the blocking response and re-write it to a 410?

     

  • Hi,

    You can log output from command :

    [HTTP::request]
    

    This command returns the whole request!