Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

brad9iner_11512's avatar
brad9iner_11512
Icon for Altostratus rankAltostratus
Mar 20, 2019

Error processing HTTP request header

I'm running into an issue on my apache tomcat 8 servers when receiving traffic routed through the F5. We have enabled TLS on the application servers and have setup an SSL Server profile to send the t...
application delivery
big-ip
cloud
LTM
DennisJann's avatar
DennisJann
Icon for Nimbostratus rankNimbostratus
Mar 20, 2019

It looks like this error occurs when you send an HTTPS request to a Tomcat server running an HTTP listener.

I got a similar error message from a sample Tomcat Docker image (

docker run -it --rm -p 8888:8080 tomcat:alpine
) when I sent it an HTTPS request (
curl -Ivk https://localhost:8888/
).

21-Mar-2019 00:36:25.559 INFO [http-nio-8080-exec-8] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header
 Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
 java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens
    at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:428)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:684)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)

You could confirm this by removing the serverssl profile from the VIP in question.

You could also try connecting to ports 8443 and 8444 on your Tomcat hosts to verify that they are in fact configured to accept HTTPS connections.

If neither of these resolves the issue, you could try sharing a sanitized version of your VIP configuration, along with confirmation that the Tomcat servers are accepting HTTPS connections.

DennisJann's avatar
DennisJann
Icon for Nimbostratus rankNimbostratus
Mar 21, 2019

Given your existing iRule, you would enclose the "or" conditions in ()'s like this:

when SERVER_CONNECTED {
   if { ([LB::server port] != 8443 or [LB::server port] != 8444 or [LB::server port] != 8445) && [LB::server port] != 443 } {
      SSL::disable
   }
}

I don't know your specific requirement, but I've generally used SSL::disable in the HTTP_REQUEST event like this:

when HTTP_REQUEST {
   if { [HTTP::path] starts_with "/plaintext-path" } {
      SSL::disable
      pool http_pool
   } else {
      pool https_pool
   }
}

Hope this helps.