Forum Discussion
NimbostratusSimple iRule not working - HTTP::respond KO
Hello everybody,
I'm new to iRule, so please forgive my question if it looks stupid.
I'm trying to block people from going to Internet when they use an IE specific browser. To do it, I want an iRule which displays a web page saying that Internet is not allowed for this browser.
I wrote an iRule in which I put my iFile but it didn't work. So I simplified my iRule by just doing a simple http response...but it doesn't work better.
Here's my code:
when HTTP_REQUEST {
if { [HTTP::header "User-Agent"] contains "MY_BLOCKED_USERAGENT"} {
HTTP::respond 200 content "Access Denied"
log local0. "Blocked request: [IP::remote_addr] User-Agent:[string tolower [HTTP::header "User-Agent"]] requested [HTTP::host] [HTTP::uri]"
}
}When I look at the log file, I see "Blocked request...." so it enters the "if" condition, but it doesn't display my "Access Denied" message (only showing the IE Error page : IE can't show this web page) More than that, in my log file I see an error "http_process_state_prepend - Invalid action:0x109010 (Server side: vip=/Common/vs_web profile=http pool=/Common/pool_web server_ip=x.x.x.x)"
I don't know what's wrong with my iRule, could you help me ? For information, my LTM is running Big-ip 11.6.0, my virtual server has performance layer 4 with fastL4 and http profile.
Thanks for your help.
4 Replies
The log message indicates that the request was passed to server, and there was a response sent, but the system believes that there should not have been a response (or the response was longer than expected).
This seems to me like interference from your irule.
See https://support.f5.com/kb/en-us/solutions/public/16000/400/sol16446.html
If you change the VIP type to Standard, it should work fine.
FastL4 + HTTP profile is not meant for this use-case.
Steuk_242232Indeed, with a Standard VIP type it works (and it also works using my iFile).
The main use of this VIP is web access for users (the servers behind are our proxies). So http profile has been configured to enable xff (users' ips are needed on the proxies behind) and fastL4 has been put to accelerate flows (fastL4 is just tunneling so it's faster than standard which intercept and then send flows. Am I right ?)
Thanks
FastL4 by definition means Layer-4 only. It is faster because the system only processes the data up to Layer4, which is accelerated using the ePVA hardware where available.
The GUI will not allow you to attach a Layer 7 profile to such a VIP, because it will be trying to access Layer 7 data on a pipeline that is only aware of Layer 4.
However, to enable the use-case of PEM (Policy Enforcement Manager) which needs to inspect higher layer traffic and still allow such flows to be handled at maximum velocity, you are allowed to attach a HTTP profile on fastl4 vips as documented in the solution article I linked. PEM is typically used in Service Provider environments where the volumes are quite high and where they benefit from such acceleration.
Since the inspection in PEM is read-only, this is a good tradeoff between capacity and capability. As soon as you want to do read-write, you have to evict the pipeline from hardware and into the CPU, and this requires the VIP to be of Standard Type.
What you are trying to do is simply not possible, and the GUI wouldn't even allow you to do it if it weren't for the fact that PEM needs it.
If you want to insert XFF, then use standard VIP and configure your http profile appropriately. If you want maximum performance, then avoid the use of irules entirely, and use Local Traffic Policies instead wherever possible.
- Steuk_242232
I understand that with my initial configuration it's simply not possible. I just explained the reason we configured it that way, and from what I read in your reply it seems it was not a bad idea.
Adding this iRule force us to modify the way we used the VIP before, that's a fact.
Thank you for all your explanations and for the link reference you sent, it helped me to understand the issue.
