Forum Discussion
The Blocking Reponse Page is blocked and looping :-)
Hi there,
On our ASM, for the Blocking Reponse Page, we use a redirect to a page on the application server:
So the browser is requesting
https://the.server/path-to/blocking-page?param=123456789
or so (which also goes through the ASM).
That works OK, most of the time.
What we have noticed is that occasionally, the request for that blocking page is blocked itself, causing a loop.
On one occasion, it appears that the cause was a mobile device that caused an HTTP Protocol Compliance violation.
That resulted in blocking and a request for the Blocking Response Page, which again caused that same HTTP Protocol Compliance violation, which resulted in blocking, which ...
Today I reproduced the issue by making Firefox use a "User-Agent: wget test" header. This triggers the Attack Signature "Automated client access wget", which again triggers the blocking page request loop.
Has anyone found an easy / straightforward / effective way to address this?
We will eventually run version 10.2.1, so I was thinking of an irule like
when ASM_REQUEST_VIOLATION {
if the requested URI is the Blocking Response Page
then HTTP::respond with a simple error message instead of the Javascript redirect
}
This should work I think, but I'm wondering if anyone else has faced this issue, and found an elegant solution.
Thanks and kind regards,
Arthur
- Chris_Miller
Altostratus
You could also use ASM::disable.Disable ASM for URIs containing "blocking-page" when HTTP_CLASS_SELECTED { ASM::enable if { [HTTP::uri] contains "blocking-page" } { ASM::disable } }
- hoolio
Cirrostratus
Another option is to use an iRule to sanitize requests to the blocking page when the blocking page is hosted behind an ASM policy. Here's a version I did for 9.x. You could update it for 10.x relatively easily by changing the global variables to the static namespace, change the headers_to_preserve list to a datagroup and change the setting of $asm_bypass to ASM::enable/ASM::disable. - samstep
Cirrocumulus
Having an iRule for this is a CPU and maintenance overhead. You can do this WITHOUT iRules: - hoolio
Cirrostratus
Hey Sam,
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com