Forum Discussion
HTTP3/QUIC virtual server with Irules and HTTP Policy
Hi
I have a HTTP2 TCP VS with http policy and Irules working ok.
I have create a UDP VS and have the QUIC, QUIC SSL profile, and HTTP3 profiles assigned . most other setting match the TCP VS. when testing with curl the TCP one works ok. but the UDP VS is broken.
From the LTM logs i see that the Irule (client accept ) is having errors as if the HTTP policy (client accept rule) has not been process. Same policy as the TCP VS. The Irules have been adjusted for udp.
Do HTTP Policies work with UDP/QUIC/HTTP3 VS?
Kerry Sadly I haven't had an opportunity to deal with QUIC but maybe the following two articles will assist you.
https://my.f5.com/manage/s/article/K60235402
https://my.f5.com/manage/s/article/K16240003If you can provide the iRule maybe we can look over it to see if any errors can be found. In addition to this you can add logging lines for each event in your iRule to see if the log is generated as a way to troubleshoot if certain pieces are just being skipped.
- KerryCirrus
thanks. found my initl issue. used "use client" on protocols feild instead of setting TCP.
looks like "SNI::" commands do not work. had a issues with ":" not being in the http::header host. (fixed) and local variables not working in the irules. a local var set in http_request is missing when process SERVER_CONNECTED. set as a global var and it works, this may create sessions problems . HTTP policy must be working correctly coirrectly now.
Kerry Great job on the solution. Would you mind providing your iRule with personal information obfuscated so that people can use your article as a possible solution?
- KerryCirrus
I am still working on the issues.
Thinking about this the "SNI" code is for a TCP header. This will not work for UDP connections. This means that for UDP/HTTP3 it back to one IP= one HTTPS web site = One VS. Thus anything with "SNI::" in a irule will fail on UDP. It would be nice if F5 coded a “do not use in udp” type of error or a way to flag an invalid answer when call SNI instead of getting a TCL error for an undefined variable.
Also nice if the allow SSL: calls in Irules when there no SSL profiles attached and have a SSL::active test (note SSL should also be renamed to TLS or HTTPS). But that another story
Also the way F5 get the "host" names in its SNI Irule fails as the header has no ":" in it. I suspect another difference between TCP and UDP HTTP. added a "if x contains : " but in the end the Irules is only for TCP. so a pointless change. Note this means there no easy way of telling is the connections is HTTP or HTTPS as HTTP::port also uses this value and defaults to 80 . Would need to check the TCP::local_port
I am also using VMware to run the F5. So i got the multi CPU issues so variables setting do get lost between different event call 😞 , I forgot this and thus could not work out why a "set" did not should up in the "server connect". Also reading the F5 Doc's, UDP "server connect" may! happen on the first UDP packet which is before any HTTP stuff fully arrives, Thus i think the event flow is different. I think i need to go back to basics and rebuild any irules from scratch. I still need to check if assigning pools stuff work in http events.
I don't think i can release the Irules and they also probably would not help. As they tuned to this environment
going to read k1624003 . may help with the one IP to one certificate setup.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com