Forum Discussion

felix001_29321's avatar
felix001_29321
Icon for Nimbostratus rankNimbostratus
Jan 15, 2013

HTTP 403 with Irule

I have a VIP set up with both client and server side SSL.

 

I have added an irule to issue a 403 if the client comes from a certain IP for a certain domain. But when I curl it reports a ssl socket error and when going to the site I just get a blank screen. It appears that the irule is breaking the session as it is inbetween the client and server side SSL sessions.

 

Heres my iRule...

 

 

------------------------

 

 

when HTTP_REQUEST {

 

if { ([HTTP::host] equals "domain.com") and (not [class match [IP::client_addr] equals group ]) } {

 

HTTP::respond 403

 

}

 

}

 

------------------------

 

Any thoughts.

 

Thanks in advance.....

 

3 Replies

  • this is mine.

    [root@ve10:Active] config  b virtual bar443 list
    virtual bar443 {
       snat automap
       pool foo
       destination 172.28.19.252:443
       ip protocol 6
       rules myrule
       profiles {
          clientssl {
             clientside
          }
          http {}
          serverssl {
             serverside
          }
          tcp {}
       }
    }
    [root@ve10:Active] config  b rule myrule list
    rule myrule {
       when HTTP_REQUEST {
       if { ([HTTP::host] equals "domain.com") and (not [class match [IP::client_addr] equals group ]) } {
          HTTP::respond 403
       }
    }
    }
    [root@ve10:Active] config  b class group list
    class group {
       host 172.28.19.251
    }
    
     client is 172.28.19.253
    
    [root@ve10:Active] config  curl -Ik https://172.28.19.252 -H "Host: domain.com"
    HTTP/1.0 403 Forbidden
    Server: BigIP
    Connection: Keep-Alive
    Content-Length: 0
    
     client is 172.28.19.251
    
    [root@centos251 ~] curl -Ik https://172.28.19.252 -H "Host: domain.com"
    HTTP/1.1 200 OK
    Date: Tue, 15 Jan 2013 08:32:55 GMT
    Server: Apache/2.2.3 (CentOS)
    Last-Modified: Sat, 27 Oct 2012 03:22:35 GMT
    ETag: "4183f3-59-f28f94c0"
    Accept-Ranges: bytes
    Content-Length: 89
    Content-Type: text/html; charset=UTF-8
    
    
  • odd, just looking at this your settings appear the same, ie the VS having SNAT etc etc...

     

     

    Im seeing this

     

     

    [root@monty ~] curl -ILk https://test.com

     

    curl: (52) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104

     

     

    Any Ideas ?

     

  • would you mind posting your virtual server configuration? have you got the error when not having the irule?

     

     

    tmsh list ltm virtual (name)

     

    tmsh list ltm pool (name)

     

    tmsh list ltm profile client-ssl (name)

     

    tmsh list ltm profile server-ssl (name)