24-May-2023 23:56
Hey all!
I´ve setup a asm waf policy for a webservice that handels api calls. But the standard response on a block is a 200 OK with the block webpage, which works great if a person can see it on the screen.. when it´s an api call the service just gets a <!DO (the first characters of the webpage) and a 200 OK.
What I want to do I just return a 403 / 503 (or something like that) and just respond with the support ID in a header back to the source.
I´ve got most of it figured out, except the header part...
So... doesnt anyone know a good way for me to insert a support ID to a header response back to the client?
Solved! Go to Solution.
25-May-2023 04:17
Also keep in mind that ASM_REQUEST_DONE irule event will show you support id even for good requests, so if you want to insert the header only when there is violation then you can use ASM_REQUEST_BLOCKING as a replacement for ASM_REQUEST_DONE as it will trigger only for bad requests.
25-May-2023 22:19
Just an update from me. I found a much much simpler way to accomplish this.
In the settings for the policy and under response and blocking pages, i edit and created a new header and just used the support id variable from the page on the header and that worked like a charm. No irules to apply or anything. 😄
25-May-2023 03:18 - edited 25-May-2023 03:19
Why not save the ASM::support_id to variable from the "ASM_REQUEST_DONE" event and then in the ''HTTP_RESPONSE'' event just insert the value in a header?
See:
https://clouddocs.f5.com/api/irules/ASM__support_id.html
https://clouddocs.f5.com/api/irules/ASM_REQUEST_DONE.html
https://clouddocs.f5.com/api/irules/ASM_REQUEST_BLOCKING.html
https://clouddocs.f5.com/api/irules/HTTP__header.html
Don't forget to enable the irule event triggering under the ASM policy as by default it is dissabled for some stupid reason.
25-May-2023 03:47
I did this first:
when ASM_REQUEST_VIOLATION {
set support_id [ASM::support_id]
#log local0. $support_id
HTTP::header insert ASM $support_id
}
when HTTP_RESPONSE {
#log local0. $support_id
HTTP::header insert ASM $support_id
#HTTP::header insert ASM2 testtest
}
But.. there´s no header receieved on the client end..
25-May-2023 04:06
Did you check what I mentioned ?
Not when ASM_REQUEST_VIOLATION but ASM_REQUEST_DONE and the irule trigger should be enabled under the ASM policy and set to Normal mode not Compatible.
25-May-2023 04:12
I´ll change the event and try again.
I had already changed the irule setting before so events are triggering ok.
25-May-2023 04:17
Also keep in mind that ASM_REQUEST_DONE irule event will show you support id even for good requests, so if you want to insert the header only when there is violation then you can use ASM_REQUEST_BLOCKING as a replacement for ASM_REQUEST_DONE as it will trigger only for bad requests.
25-May-2023 04:19
When using ASM_REQUEST_DONE, the HTTP event did not fire at all.. I´ll try REQ_Block.. and see what happens.
25-May-2023 04:21
This here´s the winner:
when ASM_REQUEST_BLOCKING {
set support_id [ASM::support_id]
#log local0. $support_id
HTTP::header insert ASM $support_id
}
when HTTP_RESPONSE {
log local0. $support_id
HTTP::header insert ASM $support_id
#HTTP::header insert ASM2 testtest
}
Thanks you!
25-May-2023 04:33
I´ll just have to add a IF statement to check if the variable is empty or not.. seems to cause the VIP not to work if applied as i wrote it.
25-May-2023 22:19
Just an update from me. I found a much much simpler way to accomplish this.
In the settings for the policy and under response and blocking pages, i edit and created a new header and just used the support id variable from the page on the header and that worked like a charm. No irules to apply or anything. 😄
13-Nov-2023 09:16
I'm new to ASM and currently having the same issue, I'd like to edit the blocking response page to give the client a negative response instead of the 200K status without using iRule.. Please can you share HTML you used? Thank you in advance.
13-Nov-2023 10:03
You can accomplish that in the ASM policy settings. Let me check and get back to you. We setup up a like 599 Blocked (not http standard i know, but i works). And also added the supportid as a response header.
13-Nov-2023 10:11
Choose policies list under security, there you have the list with all your asm policies. Choose the one to edit.
1
Scroll down to response and blocking pages. And on the right you have the block page settings. I havent edited the page itself, only the code and added the SupID: supportid-header.
2
SupID: <%TS.request.ID()%>
13-Nov-2023 12:48
Thank you @kimhenriksen thats was so helpful. you're a lifesaver. I have edited the response page and waiting for the BUs to commence testing. Thank you so much.
13-Nov-2023 13:09
Happy to help out! I see you have a batman profile pic and as a comicbooknerd i just have to help 😉
13-Nov-2023 13:55
Haha, appreciate it. 🤣
Do we remove the HTML in the Response Body?
13-Nov-2023 22:30
I didn´t. The systems that cant read the html just dont, but when people test manually they still got the page so it´s easily readable by both.
14-Nov-2023 10:25
Thank you.