For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Sabir_Alvi's avatar
Sabir_Alvi
Icon for Altocumulus rankAltocumulus
Apr 27, 2021

iRule to deny not working as expected (http 403 response not working)

So, we have been using iRules for many years to manage whitelisting of application access based on incoming source IP and strings in URL. When the request doesn't match, an HTTP 403 response is sent ...
application delivery
BIG-IP
iRules
spalande's avatar
spalande
Icon for Nacreous rankNacreous
Apr 27, 2021

This should work and give standard browser error for 403. But if it's not working in your case, you can try sending a content to the client in the iRule. Also, please replace matchclass with class match syntax as matchlass has been deprecated

when HTTP_REQUEST {
    if { ([class match [string tolower [HTTP::uri]] contains "XYZ_Strings"]) and !([class match [IP::remote_addr] equals "ABC_IPs"]) } {
  HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
	}
}

You can also send custom html page from ifile stored on BIGIP

Sabir_Alvi's avatar
Sabir_Alvi
Icon for Altocumulus rankAltocumulus
Apr 27, 2021

Hi Sanjay, thanks for the reply. I tried it, did not work, same response as before even with using content in the syntax.

  • spalande's avatar
    spalande
    Icon for Nacreous rankNacreous
    Apr 27, 2021

    Did you change syntax to class match? Please change it to class match.

    ​Also, would suggest to enable logging in iRule and check for ​the http trace in developer tools in browser or using fiddler/http watch. Which response code and content do you see there?

  • Sabir_Alvi's avatar
    Sabir_Alvi
    Icon for Altocumulus rankAltocumulus
    Apr 27, 2021

    Yes, I have changed syntax to use class match. Please see the trace captured in the browser developer tool below.

     

  • spalande's avatar
    spalande
    Icon for Nacreous rankNacreous
    Apr 27, 2021

    Can you modify iRule to below and test again? 

    when HTTP_REQUEST {
    if { ([class match [string tolower [HTTP::uri]] contains "XYZ_Strings"]) and !([class match [IP::remote_addr] equals "ABC_IPs"]) } {
  HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
return
	}
}

    also, do you have any other iRule on the VIP that's conflicting here?

    If ​this still doesn't work for you, you might want to log a case with F5 support. Meanwhile, you can enable some logging in iRule, capture the tcpdump and ssldump to analyse it.

  • Sabir_Alvi's avatar
    Sabir_Alvi
    Icon for Altocumulus rankAltocumulus
    Apr 28, 2021

    I modified the iRule (I think I just had to add "return" at the end, still same issue.

    Yes, there are other iRules but this whitelisting iRule is first in order so I don't think it is even getting to the next one to cause issues.

    I will see if I can open a case with F5 support.

    Appreciate your efforts to check this, thank you!

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Apr 28, 2021

    does the the /var/log/ltm show something with any of the irules on the virtual server?