Forum Discussion
NimbostratusMultiple redirect/respond invocations not allowed
Rule LockdownExternalAccessToDIsney HTTP_REQUEST: blocked request for /en/tools/players/edit_player.php?player_id=78745123 by 112.205.165.29
Thu Feb 11 04:15:28 PST 2010 tmm tmm[1904] 01220001 TCL error: irule-DOSC_HTTP_REDIRECT_HTTPS HTTP_REQUEST - Operation not supported. Multiple redirect/respond invocations not allowed line 562 invoked from within HTTP::respond 301 Location https://[HTTP::host][HTTP::uri]
These 2 rules are applied to the same Virtual Server:
rule LockdownExternalAccessToDIsney {
when HTTP_REQUEST {
if { (not [ matchclass [ IP::client_addr] equals ::Disney_Public_Source_Addresses] ) } {
log "blocked request for [HTTP::uri] by [IP::client_addr]"
HTTP::respond 403
return
}
}
}
rule irule-DOSC_HTTP_REDIRECT_HTTPS {
when HTTP_REQUEST {
HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"
}
}
My question is what is the preferred method for exiting out of an iRule and stop evaluating the rest of the iRules applied to the virtual server? I've seen reference to "return 0" in a different post but haven't been able to find anything definitive.
Thanks,
Jay
- The_BhattmanHi Jay,
I have never tried this but take a look at the wiki command to disable events
http://devcentral.f5.com/wiki/default.aspx/iRules/event.html
Here is a more detailed article surrounding this
http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=236
I hope this helps
Bhattman 
hoolioCirrostratus
The downside to disabling the HTTP_REQUEST event is that the iRule event would no longer trigger for the duration of the TCP connection. As both rules are related, it would be better to combine them.
Do you want to block all requests from clients not in the datagroup and redirect all others to https? If so, here is an example:when HTTP_REQUEST { if { not [ matchclass [ IP::client_addr] equals Disney_Public_Source_Addresses ) } { log local0. "blocked request for [HTTP::uri] by [IP::client_addr]" HTTP::respond 403 } else { HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]" } }
If you want to keep the two rules separate, you could use a local variable to track whether a prior iRule has already issued a redirect:rule 1 when HTTP_REQUEST { Check if a redirect has not already been issued if {not ([info exists redirected] and $redirected==1)}{ Check if we want to send a redirect if { $some_logic==1}{ Send a redirect HTTP::redirect "https://[HTTP::host][HTTP::uri]" Track that a redirect has been sent set redirected 1 } } }rule 2 when HTTP_REQUEST { Check if a redirect has not already been issued if {not ([info exists redirected] and $redirected==1)}{ if { $some_other_logic==1}{ Send a redirect HTTP::respond 403 Track that a redirect has been sent set redirected 1 } } }
Aaron
Jay_Henriques_1Thanks, I'll probably try the local variable approach to detect for prior redirects.
Albert_AguinagaHi - I keep getting the following error message on my iRule:
Sep 9 07:09:42 local/tmm err tmm[5253]: 01220001:3: TCL error: ir_final_maintpage - Operation not supported. Multiple redirect/respond invocations not allowed (line 12) invoked from within "HTTP::respond 503 content "Hanley Wood, LLC - Maintenance Page
I've been told to add the TCP::close option. I believe this may fix my issue with the iRule but here is my question (2 really):
1. If I add the TCP::close option, will it essentially terminate ALL iRule calls after it executes this? Meaning, does this TCP::close option only deal with this particular iRule? I have several virtual servers that have multiple iRules and I'm concerned that adding this TCP::close option will make all other iRules not work.
2. Where should I add TCP::close? At the very end?
Thanks so much in advance.
-Albert.
