Multiple redirect/respond invocations not allowed

Question

I've been seeing these errors in our ltm log: 
&nbsp; Rule LockdownExternalAccessToDIsney HTTP_REQUEST: blocked request for /en/tools/players/edit_player.php?player_id=78745123 by 112.205.165.29   
&nbsp; Thu Feb 11 04:15:28 PST 2010  tmm  tmm[1904]  01220001  TCL error: irule-DOSC_HTTP_REDIRECT_HTTPS HTTP_REQUEST - Operation not supported. Multiple redirect/respond invocations not allowed line 562 invoked from within HTTP::respond 301 Location https://[HTTP::host][HTTP::uri]   
&nbsp;  
&nbsp;  
&nbsp; These 2 rules are applied to the same Virtual Server: 
&nbsp; rule LockdownExternalAccessToDIsney { 
&nbsp;    when HTTP_REQUEST { 
&nbsp;  if { (not [ matchclass [ IP::client_addr] equals ::Disney_Public_Source_Addresses] ) } { 
&nbsp;   log "blocked request for [HTTP::uri] by [IP::client_addr]" 
&nbsp;   HTTP::respond 403 
&nbsp;   return 
&nbsp;  } 
&nbsp; } 
&nbsp; } 
&nbsp;  
&nbsp; rule irule-DOSC_HTTP_REDIRECT_HTTPS { 
&nbsp;    when HTTP_REQUEST { 
&nbsp;  
&nbsp;      HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]" 
&nbsp;  
&nbsp; } 
&nbsp; } 
&nbsp;  
&nbsp; My question is what is the preferred method for exiting out of an iRule and stop evaluating the rest of the iRules applied to the virtual server? I've seen reference to "return 0" in a different post but haven't been able to find anything definitive. 
&nbsp;  
&nbsp; Thanks, 
&nbsp; Jay

the_bhattman · Answer

Hi Jay, 
&nbsp;    I have never tried this but take a look at the wiki command to disable events 
&nbsp;  
&nbsp; http://devcentral.f5.com/wiki/default.aspx/iRules/event.html 
&nbsp;  
&nbsp; Here is a more detailed article surrounding this 
&nbsp; http://devcentral.f5.com/Default.aspx?tabid=63&amp;articleType=ArticleView&amp;articleId=236 
&nbsp;  
&nbsp; I hope this helps 
&nbsp; Bhattman 
&nbsp;  &nbsp;

hoolio · Answer

The downside to disabling the HTTP_REQUEST event is that the iRule event would no longer trigger for the duration of the TCP connection.  As both rules are related, it would be better to combine them.   
      
   Do you want to block all requests from clients not in the datagroup and redirect all others to https?  If so, here is an example:

when HTTP_REQUEST {   
      
      if { not [ matchclass [ IP::client_addr] equals Disney_Public_Source_Addresses ) } {   
         log local0. "blocked request for [HTTP::uri] by [IP::client_addr]"   
         HTTP::respond 403   
      } else {   
         HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"   
      }   
   }

If you want to keep the two rules separate, you could use a local variable to track whether a prior iRule has already issued a redirect:

rule 1 
 when HTTP_REQUEST { 
     Check if a redirect has not already been issued 
    if {not ([info exists redirected] and $redirected==1)}{ 
  
        Check if we want to send a redirect 
       if { $some_logic==1}{ 
  
           Send a redirect 
          HTTP::redirect "https://[HTTP::host][HTTP::uri]" 
  
           Track that a redirect has been sent 
          set redirected 1 
       } 
    } 
 }

rule 2 
 when HTTP_REQUEST { 
  
     Check if a redirect has not already been issued 
    if {not ([info exists redirected] and $redirected==1)}{ 
  
       if { $some_other_logic==1}{ 
  
           Send a redirect 
          HTTP::respond 403 
  
           Track that a redirect has been sent 
          set redirected 1 
       } 
    } 
 }

Aaron

jay_henriques_1 · Answer

Thanks, I'll probably try the local variable approach to detect for prior redirects.

albert_aguinaga · Answer

Hi - I keep getting the following error message on my iRule:&nbsp;
Sep 9 07:09:42 local/tmm err tmm[5253]: 01220001:3: TCL error: ir_final_maintpage  - Operation not supported. Multiple redirect/respond invocations not allowed (line 12) invoked from within "HTTP::respond 503 content "Hanley Wood, LLC - Maintenance Page
&nbsp;I've been told to add the TCP::close option.  I believe this may fix my issue with the iRule but here is my question (2 really):&nbsp;
1.  If I add the TCP::close option, will it essentially terminate ALL iRule calls after it executes this?  Meaning, does this TCP::close option only deal with this particular iRule?  I have several virtual servers that have multiple iRules and I'm concerned that adding this TCP::close option will make all other iRules not work.&nbsp;
2.  Where should I add TCP::close?  At the very end?&nbsp;
Thanks so much in advance.&nbsp;
-Albert.&nbsp;

Forum Discussion

Multiple redirect/respond invocations not allowed

4 Replies

Recent Discussions

VIP control across data centers - how to ensure only 1 VIP is up at a time?

FQDN Node Configuration

Logical Disk Full to Migrate rSeries

Priority Group Activation is not working

Changes to DO and AS3 GitHub - no longer monitored

Related Content

iRule error - Multiple redirect/respond invocations not allowed

Using n8n To Orchestrate Multiple Agents

detect prior http redirect or respond

Double Trouble: Multiple Controllers Handling the Same Kubernetes LoadBalancer Service

F5 Distributed Cloud – Multiple custom certificates for HTTP/TCP LB

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS