Forum Discussion
HTTP Profile "Maximum Header Size"
Hi All,
Our platform is intended to act as a proxy or transparent proxy to serve ONLY http traffic from handset or laptop. (Non http traffic bypassed at F5 level)
After we putting live production traffic to platform, there are lots of HTTP header size error logged and causing the F5 stop sending traffic to one of the pool member.
We tried to increase the size to 64KB and it's error still keep logging in /var/log/ltm.
To avoid downtime, we had the "Maximum Header Size" disabled in HTTP profile.
Please see below for the error log.
History log:
Jan 4 23:58:53 local/tmm err tmm[5238]: 011f0005:3: HTTP header (33304) exceeded maximum allowed size of 32768 (Client side: vip=ext_HTTP_VS_80 profile=http pool=Pool_3128)
Jan 4 23:58:54 local/tmm1 err tmm1[5239]: 011f0005:3: HTTP header (33304) exceeded maximum allowed size of 32768 (Client side: vip=ext_HTTP_VS_80 profile=http pool=Pool_3128)
Jan 4 23:58:55 local/tmm3 err tmm3[5241]: 011f0005:3: HTTP header (33304) exceeded maximum allowed size of 32768 (Client side: vip=ext_HTTP_VS_80 profile=http pool=Pool_3128)
Jan 4 23:58:55 local/tmm err tmm[5238]: 011f0005:3: HTTP header (33304) exceeded maximum allowed size of 32768 (Client side: vip=ext_HTTP_VS_80 profile=http pool=Pool_3128)
I need advice on inquiry below:
1.Is this a critical messages?
2.If particular VS hitting too much of this error, what is the expected F5 behavior? stop sending traffic to one of the pool member?
3.Need input from your security point of view, what value is best approach?
4.If we disable “Maximum Header Size” checking, will it cause security issue? Like DOS attack?
Thanks,
chiewming
- hooleylistCirrostratusHi Chiewming,
when HTTP_REQUEST { Check the total HTTP headers size if {[string length [HTTP::request]] > 10000 }{ Check if the URI is very long if {[string length [HTTP::uri]] > 1000}{ log local0. "Uri is long. Length [string length [HTTP::uri]], URI: [HTTP::uri]" Exit this event from this iRule return } Loop through the headers by name foreach header {[HTTP::header names]} { Check for a long header value if {[string length [HTTP::header value $header]] > 1000 } { log local0. "Header is long. Header Name: $header,\ Length: [string length [HTTP::header value $header]], Value: [HTTP::header value $header]" Exit this event from this iRule return } } If we are still here the request was large, but not the URI or any single header. Log the first 1k bytes of the full request log local0. "Request is long: [HTTP::request]" } }
- chiewming_15294NimbostratusHi Aaron,
- chiewming_15294NimbostratusAny update?
- hooleylistCirrostratus1) When you say TMM reset the connection, it's mean client need resend http request again?
- chiewming_15294NimbostratusGreat. Thanks Aaron...
- chiewming_15294NimbostratusHi Aaron,
- hooleylistCirrostratusCurrently,we have a few iRule associate with the virtual server and average is about 25% CPU load.
when HTTP_REQUEST { Check the total HTTP headers size if {[string length [HTTP::request]] > 32768}{ Check if the URI is very long if {[string length [HTTP::uri]] > 1000}{ log local0. "Uri is long. Length [string length [HTTP::uri]], URI: [HTTP::uri]" Exit this event from this iRule return } Loop through the headers by name foreach header {[HTTP::header names]} { Check for a long header value if {[string length [HTTP::header value $header]] > 1000 } { log local0. "Header is long. Header Name: $header,\ Length: [string length [HTTP::header value $header]], Value: [HTTP::header value $header]" Exit this event from this iRule return } } If we are still here the request was large, but not the URI or any single header. Log the first 1k bytes of the full request log local0. "Request is long: [HTTP::request]" } }
- chiewming_15294NimbostratusRephrase my second question:
- hooleylistCirrostratus1)When thought about this logically you shouldnt be able to analyze a http request exeeding the maximum header size allowed using an iRule, when maximum http header size is exeeded F5 simply drop that request and send a RST to the client.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com