NimbostratusHi all,
I have an irules to decrypt all http payload request and other to encrypt all http payload response, it works perfectly, but the CPU consumption of TMM is very high. Anyone have experience with these irules ?? Can it be optimized so that it does not use so much CPU? Thank you
My have a i5800 series
thanks all
JP
Nimbostratuswhen RULE_INIT {
set static::hexkey "xxxxxxxxxxxxxxxxx"
log local0.info"====Rule_Init===="
log local0.info "Key is $static::hexkey"
log local0.info"================="
}
when HTTP_REQUEST {
HTTP::header remove "Accept-Encoding"
if { [HTTP::version] eq "1.1" } {
if { [HTTP::header is_keepalive] } {
HTTP::header replace "Connection" "Keep-Alive"
}
HTTP::version "1.0"
}
if {[HTTP::method] != "OPTIONS"}{
if {! ([HTTP::uri] starts_with "/xxxx/claims/v1/xxxxxx") }{
if { !([HTTP::uri] starts_with "/xxx/v1/xxxxxxx") }{
Trigger collection for up to 1MB of data
if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{
set content_length [HTTP::header "Content-Length"]
} else {
set content_length 1048576
}
Check if $content_length is not set to 0
if { $content_length > 0} {
HTTP::collect $content_length
}
}
}
}
}
when HTTP_REQUEST_DATA {
if {[HTTP::method] != "OPTIONS"}{
if {! ([HTTP::uri] starts_with "/xxxx/claims/v1/xxxxxx") }{
if { !([HTTP::uri] starts_with "/xxx/v1/xxxxxxx") }{
log local0.info [HTTP::uri]
set iv "xxxxxxxxxx"
set paiload [HTTP::payload]
log local0.info "payload: $paiload"
set payload_without_json [string map {\{ {} \} {} \[ {} \] {} \" {} set {} value {} \: {}} $paiload]
log local0.info "sin json: $payload_without_json"
set text_to_decrypt [b64decode $payload_without_json]
log local0.info "dato encriptado: $text_to_decrypt"
set dec_out_no_binary [CRYPTO::decrypt -alg aes-128-cbc -keyhex $static::hexkey -ivhex $iv $text_to_decrypt]
binary scan $dec_out_no_binary H* enc_hex
log local0.info "dato desencriptado: $dec_out_no_binary"
HTTP::payload replace 0 [HTTP::payload length] $dec_out_no_binary
HTTP::release
}
}
}
}
EmployeeJPcaceresMorales,
Crypto operations in TCL are CPU-intensive, so encrypting/decrypting requests will utilize significant CPU.
Is there a reason that the Request/Response Body is encrypted in this way, as opposed to just relying on SSL/TLS encryption (which is hardware offloaded)?