For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_Olson's avatar
Chris_Olson
Icon for Nimbostratus rankNimbostratus
Jul 01, 2019

How do I validate compression profile is working?

I am using the below compression profile for JSON. Dev is claiming it is not working on some sites even though I have it applied to the VIP. How do I validate that it is actually working using TMSH? ...
application delivery
LTM
TMSH
Andrew-F5's avatar
Andrew-F5
Icon for Employee rankEmployee
Jul 02, 2019

You could view the counters live or periodically:

# tmsh show ltm profile http-compression Http_compression-json
# watch 'tmsh show ltm profile http-compression Http_compression-json'

You could also take a concurrent client and server side capture, decrypt and look at the first request to see that the Accept-Encoding exists on the request ingress to the F5 and is gone egress from the F5 to the server then the response egress from the F5 back to the client should contain a Content-Encoding header and no Accept-Encoding header.

== From K15434 ==

When you configure an HTTP Compression profile and assign it to a virtual server, the BIG-IP system reads the Accept-Encoding header of a client request and determines what content encoding method the client prefers. The BIG-IP system then removes the Accept-Encoding header from the request and passes the request to the server. Upon receiving the server response, the BIG-IP system inserts the Content-Encoding header, specifying either the gzip or deflate, based on the compression method that the client specifies in the Accept-Encoding header.

== Decrypt Traffic ==

Create this iRule and apply to the virtual server, change '<client_IP_addr>',

when CLIENTSSL_HANDSHAKE {
  if {[IP::addr [IP::client_addr] equals <client_IP_addr>] } {
    log local0. "[TCP::client_port] :: RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
  }
}
when SERVERSSL_HANDSHAKE {
  if {[IP::addr [IP::client_addr] equals <client_IP_addr>] } {
    log local0. "[TCP::client_port] :: RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
  }
}

Run this capture command:

# tcpdump -s0 -ni 0.0:nnnp -w /var/tmp/<filename>.pcap host <test_client_ip> and host <virtual_server_IP> -vv

Follow steps 11 and 12 in K12783074.

K12783074: Decrypting SSL traffic using the SSL::sessionsecret iRules command (12.x and later) https://support.f5.com/csp/article/K12783074

K15434: Overview of the HTTP Compression profile https://support.f5.com/csp/article/K15434