ACCESS::restrict_irule_events

Description

During access policy execution, ACCESS creates requests to various URIs related to various access policy processing. These includes /my.policy and other pages (logon, message box etc.) shown to the end user. By default from 11.0.0 onward, HTTP and higher layer iRule events are not raised for the internal access control URIs. All events except ACCESS_SESSION_STARTED, ACCESS_SESSION_CLOSED, ACCESS_POLICY_AGENT_EVENT, ACCESS_POLICY_COMPLETED are blocked (not raised) for internal access control URI.
This command allows admin to overwrite the default behavior.
ACCESS::restrict_irule_events disable
Disables the default behavior and enables admin to enable HTTP and higher layer iRule events for the internal access control URI. Admin can use this to
handle these URIs in their iRules if needed. Please note that changing processing for these internal URIs can interfere with access policy.
Scope of this command is per flow. Once enabled for a flow, all subsequent internal access control URI requests will have events raised during processing

Syntax

ACCESS::restrict_irule_events [enable|disable]

ACCESS::restrict_irule_events [enable|disable]

  • todo

Examples

This iRule allows a customer to hide some error pages from the end-user. For e.g. Invalid SID error page is shown to user by redirecting user to /my.logout.php3?errorcode=19. In one case, user hits this error url if they were to bookmark /my.policy instead of the root, APM responds saying “you have an invalid session, click here to log in”. Admin can change that just 302 user back to /. Redirect to “/” with invalid SID starts a new session.
when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}

when HTTP_REQUEST {
  if { [HTTP::uri] ends_with "/my.logout.php3?errorcode=19" }{
     HTTP::redirect "/"
   }
}