Forum Discussion
NimbostratusV11.4 replacement for HTTP::class select ?
Hi,
We have a 10.2 LTM + ASM, and need to block some requests based on the URI, with an iRule like
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/xxx" } {
if { !([HTTP::uri] starts_with "/xxx123") } {
log local0. "Suspect URI [HTTP::uri]"
HTTP::class select "cl_GENERIC_block_all"
}
}
}
So "/xxx123" is allowed, while all other "/xxx*" are blocked.
The ASM security policy for cl_GENERIC_block_all blocks all requests.
We do it this way in order to use an existing ASM remote logging profile that logs all requests, now including the above blocked ones.
This works OK, but with HTTP::class being replaced by POLICY::??? in version 11.4, the rule will no longer work.
Is there an equivalent of "HTTP::class select" in v11.4?
There is no POLICY::select (yet?).
3 Replies
- nitass
Employee
There is no POLICY::select (yet?).
have you tried ASM::enable policy_name?
ASM::enable
https://devcentral.f5.com/wiki/iRules.ASM__enable.ashx - nitass
it seems cpm also has asm policy in its action.
e.g.
root@(ve11-8)(cfg-sync In Sync)(Active)(/Common)(tmos) modify ltm policy cpm1 rules add { asmrule1 { actions add { 0 { asm enable policy ? This action will use this policy. 
Mike_MaherHave you looked at Local Traffic policy to determine if you can just use that and get rid of this iRule completely? You have the ability in LT policy to pull traffic one way or the other with it and it is a lot more flexible than HTTP Classes were.
Here is an iRule that I had that contains some HTTP Class Events and actions that I moved over to 11.4.1
when CLIENT_ACCEPTED { set retries 0 } when HTTP_CLASS_SELECTED { if {[HTTP::class] eq "/Common/hqdesktop-securera-8000_class"}{ set backup_pool PHX-hqdesktop-8000.edwardjones.com_pool } if {[HTTP::class] eq "/Common/desktop-securera-8000_class"}{ set backup_pool PHX-desktop-8000.edwardjones.com_pool } } when LB_FAILED { if { $retries < [active_members $backup_pool] } { LB::mode rr LB::reselect pool $backup_pool incr retries } } when CLIENT_ACCEPTED { set retries 0 } when HTTP_REQUEST { set policy [POLICY::names matched] if {[POLICY::rules matched $policy] eq "hqdesktop-securera-8000_class_policy_rule"}{ set backup_pool PHX-hqdesktop-8000.edwardjones.com_pool } if {[POLICY::rules matched $policy] eq "desktop-securera-8000_class_policy_rule"} { set backup_pool PHX-desktop-8000.edwardjones.com_pool } } when LB_FAILED { if { $retries < [active_members $backup_pool] } { LB::reselect pool $backup_pool incr retries } }If you find you need to keep the iRule then hopefully this helps spurs some thoughts on how to re work your iRule
