Redirection iRule on ASM Blocking

this is another way round.

 

 

sol7825: Redirecting a blocking response support ID to an external error page

 

http://support.f5.com/kb/en-us/solutions/public/7000/800/sol7825.html

What version of ASM are you running ? I currently do this all the time with the URL redirect option in the blocking response tab under the policy option.

I'm running 10.2

HTTP Redirect is a "server-side" command. At the REQUEST_BLOCKING stage, the request has not reached the server and therefore there is no server response and no "server-side" events.

 

 

Check this page out for examples:

 

 

http://devcentral.f5.com/wiki/iRules.ASM_REQUEST_BLOCKING.ashx

 

 

 

Thanks for the clarification John. I think the HTTP_CLASS_SELECTED would solve this issue

this is mine.

[root@tulip:Active] config  b version|grep -iA 1 version
BIG-IP Version 10.2.0 1707.0
Final Edition

[root@tulip:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.17.66:http
   ip protocol tcp
   rules myrule
   httpclass asmclass
   profiles {
      http {}
      tcp {}
   }
}
[root@tulip:Active] config  b profile asmclass list
profile httpclass asmclass {
   defaults from httpclass
   asm enable
}
[root@tulip:Active] config  b rule myrule list
rule myrule {
   when ASM_REQUEST_BLOCKING {
        HTTP::redirect "http://www.google.com"
}
}

[root@tulip:Active] config  curl -i http://172.28.17.66
HTTP/1.0 302 Found
Location: http://www.google.com
Server: BigIP
Connection: Keep-Alive
Content-Length: 0

[root@tulip:Active] config  cat /var/log/asm
Oct 24 20:48:15 local/tulip err dcc[11586]: 01310033:3: [SECEV] Request blocked, violations: Attack signature detected. HTTP protocol compliance sub violations: N/A. Evasion techniques sub violations: N/A. Web services security sub violations: N/A. Support id: 9922188796739190794, source ip: 172.28.17.60, xff ip: N/A, source port: 49258, destination ip: 172.28.17.66, destination port: 80, HTTP classifier: asmclass, scheme HTTP, geographic location: , request: 

Hi,

if i use something like this:

when ASM_REQUEST_BLOCKING {
        HTTP::redirect "http://www.google.com"
}

its working, but in log i find:

http_process_state_prepend - Invalid action EV_SINK_HEADER during ST_HTTP_PREPEND_HEADERS

any idea?

is this either relevant?

 

 

sol8240: The BIG-IP ASM sends corrupted responses when both RAM Cache and Application Security are enabled for the virtual server and the request is blocked by the security policy

 

http://support.f5.com/kb/en-us/solutions/public/8000/200/sol8240.html

 

 

sol5922: Error Message: http_process_state_prepend - Invalid action EV_INGRESS_DATA during ST_HTTP_PREPEND_HEADERS

 

http://support.f5.com/kb/en-us/solutions/public/5000/900/sol5922.html

sol8240

 

--> we dont use RAM Cache and we dont use such an old firmware

 

 

sol5922

 

--> a content length problem?

 

 

this is the response:

 

HTTP/1.0 302 Found

 

Location: http://www.google.com

 

Server: BigIP

 

Connection: Keep-Alive

 

Content-Length: 0

 

 

so it looks ok, although i dont want the Server Header.

Torti, what is your TMOS version?

 

 

There was a bug in 9.3.0 when a HTTP::redirect was called within LB_FAILED (http://support.f5.com/kb/en-us/solutions/public/7000/800/sol7899.html - "Any response that is not compliant with RFC2616 will cause this error message").

 

 

Maybe you are running into another "bug", when you call HTTP::redirect within ASM_REQUEST_BLOCKING. Aparently it works with 10.2, as the example of nitass shows us. Maybe it's just your TMOS release.

 

 

Regards

 

Kurt Knochner