Forum Discussion

Netmart's avatar
Netmart
Icon for Nimbostratus rankNimbostratus
Nov 07, 2024

HTTPS Monitor Health - Receive String 200 OK Not Working

Hello,

Though we receive in https response header "HTTP/1.1 200 OK", the same string used as receive in Health Monitor does not work. F5 seems to ignore any character after HTTP/1.1.

In sum:

Not Working:
                    HTTP/1.1 200 OK
                    HTTP/1.1\s200
                    HTTP/1\.(0|1)
                    HTTP/1\.(0|1) (200)
                    HTTP/1\.(0|1)\s200
                    HTTP/1.1 200 OK
                    HTTP/1.1\s200\sOK
                    200

 

                    Only Working:
                    ==> HTTP/1.1 
                    ==> OK||200
                    ==> <bank>

Type: https, Alias Service port 443.

VIP is using TCP profile.

Extract from openssl capture

:

    ---
    HTTP/1.1 200 OK
    Date: Wed, 06 Nov 2024 23:52:28 GMT
    Content-Type: application/json; charset=UTF-8
    Content-Length: 153
    Connection: close
    X-Krakend: Version 2.2.0
    X-Krakend-Completed: false
    X-Processing-Time: 0.000029
    X-Request-Id: e187dac8-20f7-43fd-b99a-6e4671b7f8e6
    Expires: Wed, 06 Nov 2024 22:52:28 GMT
    Cache-Control: no-cache
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
    X-XSS-Protection: 1; mode=block
    Client-Verify: NONE
    X-Content-Type-Options: nosniff
    X-Permitted-Cross-Domain-Policies: none
    Feature-Policy: geolocation 'none'; camera 'none'; speaker 'none'; microphone 'none';
    Referrer-Policy: strict-origin-when-cross-origin
    Expect-CT: enforce, max-age=72000
    Content-Security-Policy: default-src 'self' blob:;base-uri 'self'; form-action 'self'; frame-ancestors 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none'; img-src 'self' data:;
    Cache-Control: no-store

closed

  • Netmart It doesn't seem as though you tried the following, which should be the correct syntax.

    HTTP/1\.1 200 OK

  • Netmart 

    The HTTP monitor, include a Receive String field. This field specifies a string for comparison with the server response. The health monitors that support regular expressions are HTTP, HTTPS, TCP, and UDP. In some cases, the string 200 OK works as most servers respond with this status code.

     

    I found an article that could help answer your question on our myf5 portal, please click on the links below

     

    K5917: Using regular expressions in a health monitor receive string

    https://my.f5.com/manage/s/article/K5917

     

    I hope this helps.

     

  • Thank you Akonu.

    I am aware of this document and tried the following without any progress:

    Receive String: HTTP/1.1 200 OK
     
     
    Not Working:
    HTTP/1.1 200 OK
    HTTP/1.1\s200
    HTTP/1\.(0|1)
    HTTP/1\.(0|1) (200)
    HTTP/1\.(0|1)\s200
    HTTP/1.1 200 OK
    HTTP/1.1\s200\sOK
    200
     
    Only Working:
    ==> HTTP/1.1 
    ==> OK||200
    ==> <bank>
     
    And I verified via curl/openssl the HTTPS Response header: HTTP/1.1 200 OK:
    ---
    HTTP/1.1 200 OK
    Date: Wed, 06 Nov 2024 23:52:28 GMT
    Content-Type: application/json; charset=UTF-8
    Content-Length: 153
    Connection: close
    X-Krakend: Version 2.2.0
    X-Krakend-Completed: false
    X-Processing-Time: 0.000029
    X-Request-Id: e187dac8-20f7-43fd-b99a-6e4671b7f8e6
    Expires: Wed, 06 Nov 2024 22:52:28 GMT
    Cache-Control: no-cache
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
    X-XSS-Protection: 1; mode=block
    Client-Verify: NONE
    X-Content-Type-Options: nosniff
    X-Permitted-Cross-Domain-Policies: none
    Feature-Policy: geolocation 'none'; camera 'none'; speaker 'none'; microphone 'none';
    Referrer-Policy: strict-origin-when-cross-origin
    Expect-CT: enforce, max-age=72000
    Content-Security-Policy: default-src 'self' blob:;base-uri 'self'; form-action 'self'; frame-ancestors 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none'; img-src 'self' data:;
    Cache-Control: no-store
     
    {"status":"starting","services":[{"name":"nae-kmip","status":"started"}],"messages":["all services ok, waiting 1m0s for services to continue to be ok"]}
    closed

     

     
    Thanks
    • akonu's avatar
      akonu
      Icon for Moderator rankModerator

      Netmart 

      From your update, you said the 200 does not work. if that is the case, your server could be responding to the health probes with a different status code other than 200. Can I ask that you verify the output of the monitor using the guide below.( please use the same string as the monitor send string)

      K81239024: Testing HTTP/HTTPS Monitor Send String using openssl s_client and netcat (nc)

      https://my.f5.com/manage/s/article/K81239024

      Hope this helps.

  • Thank you again.

    We continued troubleshooting today.

    And by checking logs on server site, we learned that server is sending back a 400. This is why the string of 200 will never be hit in the configured receive string. When drafting the Send string, we following the recommendation in  K2167:

    Example send string

    GET /index.html HTTP/1.1\r\nHost: host.example.com

     

    Customized it:

    GET //api/v1/system/services/status?service_names=nae-kmip HTTP/1.1 \r\nConnection: Close

     

    But server still sends 400.

    Interestingly, when using openssl by using the same link we receive HTTPP code 200:

    (echo -e "GET /api/v1/system/services/status?service_names=nae-kmip HTTP/1.1\r\nHost: ...\r\nConnection: Close\r\n\r\n";sleep 1) | openssl s_client -connect ...**.:443

     

     

    ---

    HTTP/1.1 200 OK

    Date: Wed, 06 Nov 2024 17:34:10 GMT

    Content-Type: application/json; charset=UTF-8

    Content-Length: 73

    Connection: close

    X-Krakend: Version 2.2.0

    X-Krakend-Completed: false

    X-Processing-Time: 0.000031

    X-Request-Id: 7f2830f5-9e4a-4d80-9bc4-1fe2cce2f02f

    Expires: Wed, 06 Nov 2024 16:34:10 GMT

    Cache-Control: no-cache

    X-Frame-Options: DENY

    Strict-Transport-Security: max-age=31536000; includeSubdomains; preload

    X-XSS-Protection: 1; mode=block

    Client-Verify: NONE

    X-Content-Type-Options: nosniff

    X-Permitted-Cross-Domain-Policies: none

    Feature-Policy: geolocation 'none'; camera 'none'; speaker 'none'; microphone 'none';

    Referrer-Policy: strict-origin-when-cross-origin

    Expect-CT: enforce, max-age=72000

    Content-Security-Policy: default-src 'self' blob:;base-uri 'self'; form-action 'self'; frame-ancestors 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none'; img-src 'self' data:;

    Cache-Control: no-store

     

    {"status":"started","services":[{"name":"nae-kmip","status":"started"}]}

    closed

     

     

     

     

     

     

    • Paulius's avatar
      Paulius
      Icon for MVP rankMVP

      Netmart You might want to perform a capture on the server side as well as a tcpdump on the F5 side to see exactly what is being sent to the server and why the server is seeing it as a bad request. I did notice that in your customized GET you have double // at the beginning of the path and a space after 1.1. So the following is what you have.

      GET //api/v1/system/services/status?service_names=nae-kmip HTTP/1.1 \r\nConnection: Close

      You should have the following instead to match the openssl query.

      GET /api/v1/system/services/status?service_names=nae-kmip HTTP/1.1\r\nConnection: Close

      Notice that the extra / before api is gone.

      If this is incorrect in your monitor I can see why this isn't working properly. Have you attempted the same query using curl instead from the F5? I also noticed that you aren't specifying a host field even though HTTP 1.1 does specify a necessity to have a host field entry. Typically if you do not define the host header it will be blank or the F5 will automatically convert it to the IP of the pool member before sending the query. If you do a tcpdump you should be able to see this information being sent if you open it up in wireshark and use the SSL key to decrypt the tcpdump. I believe the following will assist you with decrypting the tcpdump in wireshark.

      https://www.comparitech.com/net-admin/decrypt-ssl-with-wireshark/

  • Thank you Paulius.

    When we took  a capture the Self IP of F5 is used as source.

    Testing with OpenSSL we get a 200 in response header:

    (echo -e "GET / HTTP/1.1\r\nHost: <F5 VIP>\r\nConnection: Close\r\n\r\n";sleep 1) | openssl s_client -connect <Real IP of Pool>:443

    We made sure to use the proper format - one slash "/"

     

    Regards.

    Netmart