Forum Discussion

Kerry's avatar
Kerry
Icon for Altocumulus rankAltocumulus
Aug 09, 2023

HTTP3/QUIC virtual server with Irules and HTTP Policy

Hi

I have a HTTP2 TCP VS with http policy and Irules working ok.  

I have create a UDP VS and have the QUIC, QUIC SSL profile,  and HTTP3 profiles assigned .  most other setting match the TCP VS.  when testing with curl the TCP one works ok.  but the UDP VS is broken.   

From the LTM logs i see that the Irule (client accept ) is having errors as if the HTTP policy (client accept rule) has not been process.  Same policy as the TCP VS.  The Irules have been adjusted for udp. 

Do HTTP Policies work with UDP/QUIC/HTTP3 VS?   

   

    • Kerry's avatar
      Kerry
      Icon for Altocumulus rankAltocumulus

      thanks.   found my initl issue.   used "use client" on protocols feild instead of setting TCP. 

      looks like "SNI::" commands do not work.   had a issues with ":" not being in the http::header host. (fixed) and local variables not working in the irules.   a local var set in http_request is missing when process   SERVER_CONNECTED.  set as a global var and it works, this may create sessions problems    .   HTTP policy must be working correctly coirrectly now.  

       

       

        

       

      • Kerry Great job on the solution. Would you mind providing your iRule with personal information obfuscated so that people can use your article as a possible solution?

  • I am still working on the issues.   

    Thinking about this the "SNI" code is for a TCP header.  This will not work for UDP connections.   This means that for UDP/HTTP3 it back to one IP= one HTTPS web site = One VS.  Thus anything with "SNI::" in a irule will fail on UDP.  It would be nice if F5 coded a “do not use in udp” type of error or a way to flag an invalid answer when call SNI instead of getting a TCL error for an undefined variable.

    Also nice if the allow SSL: calls in Irules when there no SSL profiles attached and have a SSL::active test (note SSL should also be renamed to TLS or HTTPS). But that another story

    Also the way F5 get the "host" names in its SNI Irule fails as the header has  no ":" in it.   I suspect another difference between TCP and UDP HTTP.   added a "if x contains : " but in the end the Irules is only for TCP. so a pointless change.   Note this means there no easy way of telling is the connections is HTTP or HTTPS as HTTP::port also uses this value and defaults to 80 . Would need to check the TCP::local_port   

     I am also using VMware to run the F5.  So i got the multi  CPU issues so variables setting do get lost between different event call 😞 , I forgot this and thus could not work out why a "set" did not should up in the "server connect".  Also reading the F5 Doc's,  UDP "server connect" may! happen on the first UDP packet which is before any HTTP stuff fully arrives, Thus i think the event flow is different.   I think i need to go back to basics and rebuild any irules from scratch.  I still need to check if assigning pools stuff work in http events.   

      I don't think i can release the Irules and they also probably would not help.  As they tuned to this environment

    going to read k1624003  .  may help with the one IP to one certificate setup.