Forum Discussion

Adam_Burnett_18's avatar
Adam_Burnett_18
Icon for Nimbostratus rankNimbostratus
Oct 01, 2015

HTTP::respond over SSL

I have an iRule on an HTTPS virtual server that uses HTTP::respond. When I make a request to this virtual server that hits the iRule I get an SSL error. Do I have to do anything extra to get the response generated by HTTP::respond to be encrypted?

when HTTP_REQUEST {
    set allowed {PUT POST GET DELETE}
    if { [lsearch $allowed [HTTP::method]] < 0 } {
        log local0. "HTTP [HTTP::method] REJECTED!"
        HTTP::respond 405 content "Method not allowed"
    }
}

What I'm seeing from curl

* SSLRead() return error -9806
* Closing connection 0
curl: (56) SSLRead() return error -9806
  • Do you have an HTTP profile applied to the VIP? Do you have a client SSL profile applied to the VIP?

     

  • Yes, sorry I forgot to mention that. Yes to both. If I make a request that doesn't trigger the iRule the response comes back fine.

     

  • The iRule should always being triggered for HTTP requests. Try adding some logging.

    when HTTP_REQUEST {
        log local0. "here: [HTTP::method]"
    
        set allowed {PUT POST GET DELETE}
        if { [lsearch $allowed [HTTP::method]] < 0 } {
            log local0. "HTTP [HTTP::method] REJECTED!"
            HTTP::respond 405 content "Method not allowed"
        }
    }
    
  • Do you have you aren't showing us AFTER the HTTP::respond? Try adding in return immediately after HTTP::respond and see if that fixes things.

     

  • @Kevin - sorry, by "trigger" I meant a request that enters the

    if
    . The rule is in fact being run for all requests.

    @IheartF5 - I don't follow why return would help in this case.

    • IheartF5_45022's avatar
      IheartF5_45022
      Icon for Nacreous rankNacreous
      because you can't execute any other iRule commands after HTTP::respond - they will all fail. You need to cease iRule processing for that event, either by using *return* or *event disable*.
  • Have you checked the LTM log (/var/log/ltm)? If there's an issue with the iRule logic, it'll usually log an error.

     

  • Took another look in there. Turns out adding my rule above was causing an

    HTTP::header insert
    in another rule further down the line to fail. All is well now. Thanks!

  • Rather than setting a variable with every request why not use a data group containing your allowed verbs with something like this?

    when HTTP_REQUEST {
        if { not ([class match [HTTP::method] equals allowed_verbs]) } {
            HTTP::respond 405 noserver
        }
    }
    
    • Adam_Burnett_18's avatar
      Adam_Burnett_18
      Icon for Nimbostratus rankNimbostratus
      No reason other than my being new to the platform. Thanks for the suggestion.
  • Rather than setting a variable with every request why not use a data group containing your allowed verbs with something like this?

    when HTTP_REQUEST {
        if { not ([class match [HTTP::method] equals allowed_verbs]) } {
            HTTP::respond 405 noserver
        }
    }
    
    • Adam_Burnett_18's avatar
      Adam_Burnett_18
      Icon for Nimbostratus rankNimbostratus
      No reason other than my being new to the platform. Thanks for the suggestion.