For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

M_Links_with_N_'s avatar
M_Links_with_N_
Icon for Nimbostratus rankNimbostratus
Sep 01, 2015

I neglected to mention the 443 virtual server has two iRules applied:

http_redirect_www.xyz.com_test (redirects 443 requests to 80)

insert_https_offloaded_header (adds x-forwarded-proto info to packet headers)

The order in which irules are listed on virtual server profiles dictates the order in which they’re executed. In this case, the above order results in error because the LTM is attempting to add the "'X-Forwarded-Proto'" information to packet headers after redirecting the client. Rather than allow traffic to proceed without modifying header information, the LTM resets the connection.

Reversing the order fixes the issue.

Support discovered the following entries in /var/log/ltm , which hinted the "insert_https_offloaded_header" iRule was somehow involved:

Sep  1 11:29:40 xyz-f5-ltm err tmm[12022]: 01220001:3: TCL error: /Common/insert_https_offloaded_header <HTTP_REQUEST> - Operation not supported (line 1) invoked from within "HTTP::header insert "X-Forwarded-Proto" "https""
Sep  1 11:29:40 xyz-f5-ltm err tmm[12022]: 01220001:3: TCL error: /Common/insert_https_offloaded_header <HTTP_REQUEST> - Operation not supported (line 1) invoked from within "HTTP::header insert "X-Forwarded-Proto" "https""
Sep  1 11:29:45 xyz-f5-ltm err tmm[12022]: 01220001:3: TCL error: /Common/insert_https_offloaded_header <HTTP_REQUEST> - Operation not supported (line 1) invoked from within "HTTP::header insert "X-Forwarded-Proto" "https""

Thanks for your help.