Joe_Pipitone
May 05, 2015Nimbostratus
iRule - HTTP::is_redirect failing
We have used this iRule for many years to block PDFs from being accessed directly, unless a user logs in and comes from an allowed domain.
After upgrading from 10.2.4 to 11.2.1 and then to 11.6, the iRule fails to work and complains in the ltm log:
TCL error: /Common/block-pdf-searches - Operation not supported (line 1) invoked from within "HTTP::is_redirect"
I've done some testing and I've confirmed that I'm able to do a simple log local0. if the http response is HTTP::is_redirect, so it seems like the syntax is supported.
Can anyone find what may be wrong here?
when RULE_INIT {
0=disable checking paths
1=check referer if requested URL is in "referer_check_paths" (default allow)
2=check referer if requested URL is NOT in "referer_check_paths" (default deny)
set ::setting_check_paths 0
0=exact match for path check
1=starts_with match of path check
set ::setting_path_check_starts_with 0
0=disable filetype checking
1=enable filetype checking
set ::setting_check_filetypes 1
Set appropriate URL to send the user to
set static::error_url {https://[HTTP::host]}
END OF CONFIGURABLE PARAMETERS
if { $::setting_path_check_starts_with == 1 } {
set ::match_with "starts_with"
return
}
set ::match_with "equals"
}
when HTTP_REQUEST {
set error 0
if { $error == 0 && $::setting_check_filetypes == 1 &&
[matchclass [HTTP::path] ends_with referer_check_filetypes] } {
set error 1
}
if { $error == 0 && $::setting_check_paths == 1 &&
[matchclass [HTTP::path] $::match_with referer_check_paths] } {
set error 1
}
if { $error == 0 && $::setting_check_paths == 2 &&
( not [matchclass [HTTP::path] $::match_with referer_check_paths] ) } {
set error 1
}
if { $error == 0 } {
return
}
set refer_host [string tolower [URI::host [HTTP::header Referer]]]
if { $refer_host == "" || [matchclass $refer_host contains referer_allowed_hosts] } {
return
}
set info " NOTICE: Entry point bypass detected from host: $refer_host"
append info " client { [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] }"
append info " ethernet { [string range [LINK::lasthop] 0 16] -> [string range [LINK::nexthop] 0 16] tag [LINK::vlan_id] qos [LINK::qos] }"
append info " - [HTTP::version] - REDIR [HTTP::is_redirect], Content-Length [HTTP::header Content-Length], Transfer-Encoding [HTTP::header Transfer-Encoding]"
append info " *TCP MSS([TCP::mss]) BW([TCP::bandwidth]) RTT([TCP::rtt]) OFFSET([TCP::offset])"
append info " *IP TOS [IP::tos], HOPS [IP::hops], TTL [IP::ttl]"
append info " *HTTP HOST [HTTP::host], KEEPALIVE [HTTP::is_keepalive], REQ_NUM [HTTP::request_num]"
log local0. $info
Set cache control headers on the redirect to prevent proxies from caching the response.
HTTP::respond 302 Location [subst $static::error_url] Cache-Control No-Cache Pragma No-Cache
}