Forum Discussion
iRule to disable APM not working as expected
when HTTP_REQUEST {
set header [HTTP::header "User-Agent"]
log local0. "Before Match --- Header is: $header"
if {[string tolower [HTTP::header "User-Agent"]] contains "mac os x" && [string tolower [HTTP::uri]] equals "/ews/exchange.asmx"} {
ACCESS::disable
log local0. "one time"
log local0. "URI: [HTTP::uri]"
pool /Common/exchange.app/exchange_oa_pool6
}
}
- Rabbit23_116296NimbostratusCannot save or edit the post so: APM is still causing grief for Mac clients. I am trying to disable the policy for Mac User-Agent headers. This is killing the session but resulting in a apm loop (it just creates an immediate subsequent session ID). Any ideas?
- Michael_JenkinsCirrostratus
If your request has any of the apm cookies, you may need to remove them from that request. I've had weird issues like that.
so, perhaps your iRule could do something like this:
when HTTP_REQUEST { if {[string tolower [HTTP::header "User-Agent"]] contains "mac os x" && [string tolower [HTTP::uri]] equals "/ews/exchange.asmx"} { log local0. " Disable access for [HTTP::uri]" ACCESS::disable HTTP::cookie remove "MRHSession" HTTP::cookie remove "LastMRH_Session" } else { log local0. " [HTTP::uri]" } }
- kunjanNimbostratus
May want to try with
when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable }
- Rabbit23_116296NimbostratusDon't I need to have an iRule event in the access policy event for this then?
- Rabbit23_116296NimbostratusDon't I need to have an iRule event in the access policy event for this then?
- kunjanNimbostratusNot required.
- kunjan_118660Cumulonimbus
May want to try with
when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable }
- Rabbit23_116296NimbostratusDon't I need to have an iRule event in the access policy event for this then?
- Rabbit23_116296NimbostratusDon't I need to have an iRule event in the access policy event for this then?
- kunjan_118660CumulonimbusNot required.
which version of TMOS? I experienced having to build in a timer in a similar situation before 11.4.
are you sure there are any requests to other URI also?
- Rabbit23_116296Nimbostratus
when HTTP_REQUEST { set u [HTTP::header "User-Agent"] set uru [HTTP::uri] log local0.notice "user agent: $u and uri: $uru" if {[string tolower [HTTP::header "User-Agent"]] contains "mac os x" } { ACCESS::disable } } when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } Doesnt work and ltm logging shows only: Apr 7 10:29:29 loadbalancerhostname.something notice tmm2[18680]: Rule /Common/OS-X_Kill_Preauth : user agent: Mac OS X/10.10.2 (14C1514); ExchangeWebServices/5.0 (213); Mail/8.2 (2070.6) and uri: /EWS/exchange.asmx Apr 7 10:29:29 loadbalancerhostname.something notice tmm2[18680]: Rule /Common/OS-X_Kill_Preauth : user agent: Mac OS X/10.10.2 (14C1514); ExchangeWebServices/5.0 (213); Mail/8.2 (2070.6) and uri: /EWS/exchange.asmx Apr 7 10:29:30 loadbalancerhostname.something notice tmm2[18680]: Rule /Common/OS-X_Kill_Preauth : user agent: Mac OS X/10.10.2 (14C1514); ExchangeWebServices/5.0 (213); Mail/8.2 (2070.6) and uri: /EWS/exchange.asmx Apr 7 10:29:30 loadbalancerhostname.something notice tmm2[18680]: Rule /Common/OS-X_Kill_Preauth : user agent: Mac OS X/10.10.2 (14C1514); ExchangeWebServices/5.0 (213); Mail/8.2 (2070.6) and uri: /EWS/exchange.asmx Apr 7 10:29:30 loadbalancerhostname.something notice tmm2[18680]: Rule /Common/OS-X_Kill_Preauth : user agent: Mac OS X/10.10.2 (14C1514); ExchangeWebServices/5.0 (213); Mail/8.2 (2070.6) and uri: /EWS/exchange.asmx
- MallariYap_1963Nimbostratusstill hard to get
- kunjanNimbostratus
It should hit pool configured for the virtual server without creating access session. What do you expect in the logs?
- Rabbit23_116296NimbostratusWhat I expect in the logs is what I see and posted for everyone's clarity. It hits the pool just fine but my problem is the access session gets created!
- kunjan_118660Cumulonimbus
It should hit pool configured for the virtual server without creating access session. What do you expect in the logs?
- Rabbit23_116296NimbostratusWhat I expect in the logs is what I see and posted for everyone's clarity. It hits the pool just fine but my problem is the access session gets created!
- kunjanNimbostratus
Tested the following iRule with curl
curl -k -L https://10.2.60.70
when HTTP_REQUEST { set u [HTTP::header "User-Agent"] set uru [HTTP::uri] log local0.notice "user agent: $u and uri: $uru" if {[string tolower [HTTP::header "User-Agent"]] contains "curl" } { ACCESS::disable } } when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when ACCESS_SESSION_STARTED { log local0.notice "Access session started" }
Apr 8 22:03:50 bigip6 notice tmm1[15943]: Rule /Common/accessDisable : user agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1j zlib/1.2.3 libidn/0.6.5 and uri: /
The logs doesn't have the Access session started message. Is there anything else done in your iRule?
- Rabbit23_116296Nimbostratus
hey thanks for taking the time to reproduce though my behaviour is different. I've added when ACCESS_SESSION_STARTED and I do see the session. Even when simply trying the [HTTP::host][HTTP::uri] directly from a web browser.
*Apr 8 16:08:17 lhr4-exlb-01 notice tmm2[18680]: Rule /Common/OS-X_Kill_Preauth : hey I found a Mac so Disabling Acces policy...CLIENT IP 10.164.4.23 user agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0) Gecko/20100101 Firefox/35.0 and uri: /ews/exchange.asmx
Apr 8 16:08:17 lhr4-exlb-01 notice tmm2[18680]: Rule /Common/OS-X_Kill_Preauth : Access session started for 10.164.4.23 and user agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0) Gecko/20100101 Firefox/35.0*
irule: when HTTP_REQUEST { set u [HTTP::header "User-Agent"] set uru [HTTP::uri]
log local0.notice "user agent: $u and uri: $uru" if {[string tolower [HTTP::header "User-Agent"]] contains "mac os x" } { ACCESS::disable log local0.notice "hey I found a Mac so Disabling Acces policy...CLIENT IP [IP::client_addr] user agent: $u and uri: $uru" } } when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when ACCESS_SESSION_STARTED { log local0.notice "Access session started for [IP::client_addr] and user agent: [HTTP::header "User-Agent"]" }
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com