For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tom_Bortels_112's avatar
Tom_Bortels_112
Icon for Nimbostratus rankNimbostratus
Dec 29, 2013

reject not rejecting?

I have to be missing something simple here... setting up a new irule to do a simple whitelist. Here's the whole thing (stolen shamelessly from somewhere else on DevCentral): when HTTP_REQUEST { ...
application delivery
devops
iRules
Thomas_Gobet's avatar
Thomas_Gobet
Icon for Nimbostratus rankNimbostratus
Dec 29, 2013

Hi,

Did you check your cache on your browser ?

Are you using any proxy between your client and your BIG-IP ?

And last thing, maybe you can try to this iRule to send a 404 response :

when HTTP_REQUEST {
    if { [class match [IP::client_addr] equals trusted_ips] } { 
        log local0. "[IP::client_addr]:[TCP::client_port]: Client is in data group so do not redirect. DG: [class get trusted_ips]"
    } else {
        log local0. "[IP::client_addr]:[TCP::client_port]: Client is not in data group bail"
        HTTP::respond 404
    }
}
Tom_Bortels_112's avatar
Tom_Bortels_112
Icon for Nimbostratus rankNimbostratus
Dec 30, 2013
No, no cache, no proxies - I can reproduce this with curl on the command line. Changing "reject" to "HTTP::respond 404" causes this error on trying to save the iRule: 01070394:3: HTTP::respond in rule (/Common/trusted_ips_only) requires an associated HTTP or ICAP profile on the virtual server (/Common/test). Interestingly - this is the error I've seen before, I thought at runtime. The profile associated with thisw VIP is the default you get when you select http and port 80 - "Performance (HTTP)" with "fasthttp" listed as the profile (the only choice there).