Forum Discussion
mbyerly_59620
Nimbostratus
Nimbostratus<HTTP_REQUEST> - Out of bounds (line 1) - randomly in ltm log file
Hey All,
I am wondering if someone has any idea of what I am seeing in our logs after adding a new iRule to remove the X-Forwarded-For header and re-insert it.
The error, which is generated at random:
Aug 30 00:00:39 tmm5 err tmm5[11045]: 01220001:3: TCL error: /Common/shared/x_forwarded_for - Out of bounds (line 1) invoked from within "HTTP::header remove "X-Forwarded-For""
Aug 30 00:00:40 tmm err tmm[11040]: 01220001:3: TCL error: /Common/shared/x_forwarded_for - Out of bounds (line 1) invoked from within "HTTP::header remove "X-Forwarded-For""
Aug 30 00:00:48 tmm3 err tmm3[11043]: 01220001:3: TCL error: /Common/shared/x_forwarded_for - Out of bounds (line 1) invoked from within "HTTP::header remove "X-Forwarded-For""
The 'x_forwarded_for' iRule is the only iRule associated to the HTTP (80) virtual-server, and on the HTTPS (443) virtual-server there are two iRules in this order 1. 'https_proto_header', and 2. 'x_forwarded_for'. I have a feeling the error is getting generated by the HTTPS (443) virtual-servers but I am unsure.
Below are the iRules:
ltm rule https_proto_header {
when HTTP_REQUEST {
HTTP::header remove "X-Forwarded-Proto"
HTTP::header insert "X-Forwarded-Proto" "https"
}
}
ltm rule x_forwarded_for {
when HTTP_REQUEST {
HTTP::header remove "X-Forwarded-For"
HTTP::header insert "X-Forwarded-For" [IP::client_addr]
}
}
Thanks,
Matt
4 Replies
hoolioCirrostratus
Hi Matt,
Do you have RAM cache or WAM enabled on either virtual server? I think the error is due to a conflict with one of those two features.
Aaron
mbyerly_59620No RAM cache or WAM.
Could it be some sort of issue between having 'XFF' enabled in the HTTP Profile as well as the iRule to scrub the HTTP header and re-insert it?
Here is a snippet of the virtual-servers (80 & 443) as well as the HTTP Profile.
80/443 virtual-servers:ltm virtual xxxx-production-xxxx-1.2.3.4-tcp-80-vs { destination 1.2.3.4:http ip-protocol tcp mask 255.255.255.255 partition xxxx pool xxxx-production-xxxx-pool profiles { /Common/shared/http-xxxx-optimized { } /Common/shared/tcp-xxxx-optimized { } } rules { /Common/shared/x_forwarded_for } snatpool /Common/shared/internal-snat vlans-disabled } ltm virtual xxxx-production-xxxx-1.2.3.4-tcp-443-vs { destination 1.2.3.4:https ip-protocol tcp mask 255.255.255.255 partition xxxx pool xxxx-production-xxxx-pool profiles { /Common/shared/http-xxxx-optimized { } /Common/shared/tcp-xxxx-optimized { } wildcard.xxxx.bogus.com-clientssl { context clientside } } rules { /Common/shared/https_proto_header /Common/shared/x_forwarded_for } snatpool /Common/shared/internal-snat vlans-disabled ltm profile http http-xxxx-optimized { adaptive-parsing enabled app-service none basic-auth-realm none defaults-from /Common/http description none encrypt-cookie-secret none encrypt-cookies none fallback-host none fallback-status-codes none header-erase none header-insert none insert-xforwarded-for enabled lws-separator none lws-width 80 max-header-count 64 max-header-size 65536 max-requests 0 oneconnect-transformations disabled partition Common pipelining enabled redirect-rewrite none request-chunking preserve response-chunking selective response-headers-permitted none security disabled via-host-name none via-request preserve via-response preserve }- hoolioI don't think there should be any conflict between the HTTP profile and iRule doing header insert/removals. I did some quick searching but didn't see any related info internally.
Could you open a case with F5 Support on this? If you do, can you reply back with what you find out?
Thanks, Aaron - mbyerly_59620Will do.
Thanks Hoolio.
Matt
