More efficient stream iRule

Question

I am very new to iRules, so be patient but have an interesting problem to overcome.&nbsp;
&nbsp;Note all access is via HTTPS:&nbsp;
&nbsp;requirement: remove external access to robots.txt file and an admin page that can not be restricted on the server it self.&nbsp;
&nbsp;our original solution:
&nbsp;use an iRule with a HTTP Profile to redirect the request to an error page when "robots.txt" or "admin" is found in the URI.&nbsp;
&nbsp;This worked fine, apart from it broke some of the extended capability of the website:- The website also offers tunneled TS an Citrix through a client side applet.&nbsp;
&nbsp;With HTTP profile applied the tunneled TS/Citrix are not understood and no longer work.&nbsp;
&nbsp;Revised solution:
&nbsp;Use a Stream to replace "robots.txt" and "admin" in the content with "error". The replacement term error would cause an unknown URL, and the server would redirect to the front page.&nbsp;
&nbsp;This works fine.&nbsp;
&nbsp;But i am sure there will be some clever ways of doing this with an iRule? such as only checking requests&nbsp;
&nbsp;any suggestions for how to do this?&nbsp;
&nbsp;Thanks

the_bhattman · Answer

It sounds similiar to what is being discussed in another posting (Click here)&nbsp;

mark_beynon_593 · Answer

close, but fundamentally different. that post dynamically creates a robot.txt file. I am trying to disable robots.txt file, and block a url. Also the use of the HTTP profile would break my apps, hence the posts can not be considered together.&nbsp;
&nbsp;Thanks for your suggestion though!

eduardo_saito_1 · Answer

Hi.
You are right. HTTP Profile would break Citrix.
Who is terminating the SSL connection? Are you using SSL Offload?
I guess you could create an iRule to search for robots.txt inside the payload. If robots.txt is inside the payload you can drop the request.
This solution will not require HTTP Profile but be careful about CPU overhead.
I didn't test this iRule.
when CLIENT_ACCEPTED {
  TCP::collect
}
when CLIENT_DATA {
  if { [TCP::payload] contains "robots.txt" } {
     Close TCP Conn
    TCP::close
  }
  TCP::release
  TCP::collect
}
Good luck!

mark_beynon_593 · Answer

Thanks for your suggestion Esaito, i will have a play with this.&nbsp;
&nbsp;it is an SSL VPN appliance/reverse proxy cluster behind the F5's. The F5's terminate the SSL connection from the clients and present the clients a certificate. They then act as an SSL client to the appliances for load balancing, hence the Virtual server has both SSL server and client profiles.&nbsp;
&nbsp;Thanks again!

bl0ndie_127134 · Answer

If you can detect the tunneled connections (via uri or port etc.), you can disable the HTTP profile dynamically using the HTTP::disable command.

Forum Discussion

More efficient stream iRule

Recent Discussions

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

AS3 Limitations

Unable to install firmware OS and drop at 10%

Statistics ›› Analytics : HTTP : Overview

Related Content

Scalable AI Deployment: Harnessing OpenVINO and NGINX Plus for Efficient Inference

Setting up F5 Telemetry Streaming with Splunk Cloud

Automation Toolchain - Telemetry Streaming - Grafana StatsD Graphite

Secure your gRPC Bidirectional Streaming APIs with F5 NGINX

Investigating Efficiencies in iRules: Handling Wildcards in Hostnames

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS