custom response code or route when match on LB's common policy custom rule

why - Today when a custom rule is set to Deny traffic, the default 403 resp code and message is sent. I have a scenario where for some traffic the default error code is appropriate but for other traffic matching specific conditions which include a request body regex match, I'd like to return a unique http response code and msg. Today the Route object doesn't allow for matching on the request body so my only option is to return the default 403. The goal is to include some custom data in the response so that the client device can detect it and display a mapped user friendly message. Routes can do this but not for request body matches. LB's can add response headers but only for ALL traffic. And the error response can be customized but only for ALL 403s, not just specifically matched scenarios.

who - security engineers would use this in cases they are enforcing manually built API Schema validation where they want to notify legit users to upgrade their device.

how - there are 3 options I can think of

  1. enhance the custom rule on a common LB policy to allow it to define a custom response for the matched scenario. this could be directly in the rule or link to a predefined direct response object.

  2. enhance the custom rule on a common LB policy to allow it to define a custom response header/value pair for the matched scenario.

  3. enhance the Route object to define a request body regex match, similar to how that is available in a custom policy rule.

  • Guest
  • Oct 31 2024
  • Attach files