For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ed_Hammond_2611's avatar
Ed_Hammond_2611
Icon for Nimbostratus rankNimbostratus
May 06, 2008

HTTP 304 Status - How to drop content

We have a server that is appending 20 bytes of content to a 304 status response in violation of RFC. Fixing the server is a real challenge as it is functionally stable, so we are forced to mask the e...
application delivery
dev
devops
iRules
Ed_Hammond_2611's avatar
Ed_Hammond_2611
Icon for Nimbostratus rankNimbostratus
May 20, 2008
We have released this code into production with positive feeback from our customers that were affected.

 

 

The problem the customers were having was with Symantec and Kasperski firewalls where the TCP connection would stall when the extra bytes were seen in the response. The client side TCP connection would not respond to the browser, causing the page to "hang" until the TCP timeout occured and the browser opened a new connection. This used connection capacity on the firewall and terrible response time on the client side, but the F5 side looked fine and dandy.

 

 

There are two change requests out to fix the extra header material in HTTP::respond (CR99706 & CR64228). Hopefully what development will do in the respond call is to scan the headers provided and only fill in the gaps that are absolutely needed per RFC2616. In the case of the above, nothing extra would be needed.

 

 

We'll see how well development and fix the HTTP::respond command.

 

 

P.S. Support dropped the request to fix the HTTP::payload command so that it works consistently across all status codes. That's a real shame as it has been a problem for years