Forum Discussion
Hello,
I have the same need and facing the same issue: need to change the response from the ICAP server.
Here below part of the code I use in an iRule which works, but only when the communication uses HTTP/2.
when ADAPT_REQUEST_RESULT {
#Save adapt result in var
set adaptresult [ADAPT::result]
}
#The HTTP_RESPONSE_RELEASE event is used as no communication
#will go to the server when a virus is detected
when HTTP_RESPONSE_RELEASE {
switch -glob $adaptresult {
"respond" {
log local0. "ICAP - Malicious file uploaded - From: [IP::remote_addr] To: $hostname"
#Set the response
#It will overwrite the default response content sent by the ICAP server
set response "
<html>
...
</html>
"
#Send the response to the client
HTTP::respond 200 content $response
return
}
"abort" {
log local0. "ICAP - File too large uploaded - From: [IP::remote_addr] To: $hostname"
#Set the response
#It will overwrite the default response content sent by the ICAP server
set response "
<html>
...
</html>
"
#Send the response to the client
HTTP::respond 200 content $response
return
}
default {
return
}
}
}
It DOES NOT WORK when HTTP/1.x comes to the game.
Problem is because "HTTP::respond" is not supported in event "HTTP_RESPONSE_RELEASE", even if works with HTTP/2. See: https://clouddocs.f5.com/api/irules/HTTP-RESPONSE-RELEASE.html
I did open a case @F5 for investigation, and here below the answer:
"From the previous escalation it has also been mentioned that there is no way at the moment ( meaning supported way ) to modify the response from the ICAP server before sending it to the client"
I did try some rewritting at layer 4 level, and didn't manage to get a working solution.
It feels like it's an impossible battle.
For me even with HTTP 1.1 this worked if the icap server returns HTTP data to trigger the "ADAPT_REQUEST_RESULT" event. The trick is in HTTP_RESPONSE_RELEASE to do a a redirect for example HTTP::respond 302 Location "http://www.domain.org" and this works (you can't have HTTP body in the event but HTT Headers are no problem đ ), you just need to host the web pages and it could on the same F5 VS if you add HTTP::uri condition in the HTTP_REQUEST event.
My issue was that if the ICAP server returns only ICAP data and no HTTP data then how trigger custom response page but it is not possible but for your issue there is a workaround.
- Xavier_BaugnietJan 11, 2023Altocumulus
Hello Nikoolayy1
Indeed, your problem and mine are different.
As I wrote HTTP::respond is not supported in HTTP_RESPONSE_RELEASE. Even if it looks to work, it shouldn't. I edited my previous post to add link for documentation where you can find the info.
Sad thing is the F5 doesn't trigger an error when writing the iRule with this command, while it does if I use HTTP::redirect e.g..
The best place would be in the ICAP_REPONSE event, see https://clouddocs.f5.com/api/irules/ICAP_RESPONSE.html, but I didn't yet found the way to modify the payload here.
- Nikoolayy1Jan 11, 2023MVP
From my talks with support when they say HTTP::respond is not supported in HTTP_RESPONSE_RELEASE is actually that you can't add or modify the HTTP body, so adding HTTP header to redirect works as it is not part of the body.
About "The best place would be in the ICAP_REPONSE event" yup as I tested with TCP::respond it just does not work and you can't use HTTP::respond in an icap event so I gave up đ