For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Martin_Robbins's avatar
Martin_Robbins
Icon for Nimbostratus rankNimbostratus
Jul 02, 2014

ACCESS::disable in iRule with persisted HTTP/1.1 connection fails

Hello,

I know I should open a case but has anyone seen with 11.4.1 issues with APM using the ACCESS::disable in an iRule causing the dreaded :

http_process_state_prepend - Invalid action EV_BODY_COMPLETE during ST_HTTP_PREPEND_HEADERS (Server side: vip= .. etc

iRule:

when HTTP_REQUEST {
  if { [HTTP::path] starts_with "/public" }{
    ACCESS::disable
  }
}

It seems if you have a persisted HTTP/1.1 connection, i.e the browser makes a request for a URL (e.g. /private with Connection: keep-alive) that is processed normally by APM (i.e. is authenticated)

.. and then a second request over the same connection is made (e.g. /public) which matches the ACCESS::disable (i.e. should not be authenticated) then causing the above error.

Making the second request without the first works

It took me a while to realise what was wrong, I followed the SOL5922 assuming the backend was not RFC-2616 compliant but no, it is APM that is causing it to choke.

Otherwise is there another way to disable APM on a connection that is not ACCESS::disable or is just forcing all conenctions to HTTP/1.0 is the answer ...

cheers.

application delivery
BIG-IP Access Policy Manager (APM)
deployment
devops
iRules
security

2 Replies

  • ib_37889's avatar
    ib_37889
    Icon for Nimbostratus rankNimbostratus
    Jul 14, 2014
    Have you tried closing the connection after ACCESS::disable ?
  • Martin_Robbins's avatar
    Martin_Robbins
    Icon for Nimbostratus rankNimbostratus
    Jul 23, 2014

    Hi,

     

    Thanks but that was "too late", the connection has been reset before it gets to a close statement.

     

    I will share the basic version of the solution I am now using, basically allow if there is a valid session and force client connection close on all other types of requests ...

     

    when HTTP_REQUEST {
    set f_apmdisable_close 0

    if { [HTTP::cookie exists MRHSession] and [ACCESS::session exists -state_allow -sid [HTTP::cookie value MRHSession]] }{ return
    } elseif { [HTTP::cookie exists MRHSession] }{ set f_apmdisable_close 1 }

    if { [HTTP::path] starts_with "/public/" }{
        WEBSSO::disable
        ACCESS::disable
        set f_apmdisable_close 1 }
}

when HTTP_REQUEST_SEND {
    clientside {
      if { $f_apmdisable_close }{
         if { [HTTP::header exists Connection] }{ HTTP::header remove Connection }
         HTTP::header insert Connection Close }   
    }
}

when HTTP_RESPONSE {
    if { $f_apmdisable_close }{
        if { [HTTP::header exists Connection] }{ HTTP::header remove Connection }
        HTTP::header insert Connection Close }
}

    The case I opened has not provided any additional help but the code here at least stops the errors and client resets .. I am sure there are improvements to be had.