Forum Discussion
GavinW_29074
Nimbostratus
NimbostratusCheck HTTP Response Data for string
Hi there,
We've got an intermittent issue with one of our applications which I'm trying to get to understand a bit better using our F5's and iRules...
Basically, sometimes the ap...
GavinW_29074Nimbostratus
NimbostratusAaron
As it happens, i've got it working a slightly different way.
Comments welcome on possible improvements though 🙂
Gav
Copy of my rule is:
when RULE_INIT {
set static::LogInvalidRespDebug 1
}
when HTTP_REQUEST priority 100 {
if {$static::LogInvalidRespDebug > 0} { log local0.info "Processin HTTP Request at Priority 100..." }
Bypass by default
set bypass 1
if { [HTTP::header exists "X-Requested-With"] } {
if {$static::LogInvalidRespDebug > 0} { log local0.info "X-Requested-With HTTP Header Present. Must be AJAX Request." }
return
} else {
if {$static::LogInvalidRespDebug > 0} { log local0.info "Non AJAX Request. Processing further." }
Only looking for HTML Requests
if { [HTTP::header "Accept"] contains "text/html" } {
if {$static::LogInvalidRespDebug > 0} { log local0.info "Accept Header contains 'text/html'. Recording." }
Prevent the server from sending a compressed response
remove the compression offerings from the client
HTTP::header remove "Accept-Encoding"
Don't allow response data to be chunked
if { [HTTP::version] eq "1.1" } {
Force downgrade to HTTP 1.0, but still allow keep-alive connections.
Since HTTP 1.1 is keep-alive by default, and 1.0 isn't,
we need make sure the headers reflect the keep-alive status.
Check if this is a keep alive connection
if { [HTTP::header is_keepalive] } {
Replace the connection header value with "Keep-Alive"
HTTP::header replace "Connection" "Keep-Alive"
}
Set server side request version to 1.0
This forces the server to respond without chunking
HTTP::version "1.0"
}
if {$static::LogInvalidRespDebug > 0} { log local0.info "Storing HTTP::request value" }
set req_data [HTTP::request]
if {$static::LogInvalidRespDebug > 0} { log local0.info "\$req_data = $req_data" }
Need to check the repsonse on this one.
set bypass 0
} else {
if {$static::LogInvalidRespDebug > 0} { log local0.info "Non HTML request. Returning. " }
return
}
}
}
when HTTP_RESPONSE {
if {$static::LogInvalidRespDebug > 0} { log local0.info "Processing HTTP Response." }
if { $bypass } {
if {$static::LogInvalidRespDebug > 0} { log local0.info "Bypassing this response" }
return
} else {
if {$static::LogInvalidRespDebug > 0} { log local0.info "Processing this response" }
Trigger collection for up to 1MB of data
if {[HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] <= 1048576}{
set content_length [HTTP::header "Content-Length"]
} else {
set content_length 1048576
}
Check if $content_length is not set to 0
if { $content_length > 0} {
HTTP::collect $content_length
}
Log output.
set ir_hsl [HSL::open -proto UDP -pool splunk_ir]
HSL::send $ir_hsl "<190>|Checking HTTP Response Data\n"
}
}
when HTTP_RESPONSE_DATA {
if {$static::LogInvalidRespDebug > 0} { log local0.info "Processing HTTP Response data." }
if { $bypass } {
return
} else {
do stuff with the payload
set payload [HTTP::payload]
if { $payload contains "" } {
if {$static::LogInvalidRespDebug > 0} { log local0. "Payload contains tag." }
} else {
log local0.crit "Payload doesnt contain tag."
HSL::send $ir_hsl "<190>|$clientip requested $uri. Invalid response returned. Request data was: $req_data\n"
}
}
}