Forum Discussion

Netmart's avatar
Netmart
Icon for Nimbostratus rankNimbostratus
Nov 07, 2024

HTTPS Monitor Health - Receive String 200 OK Not Working

Hello, Though we receive in https response header "HTTP/1.1 200 OK", the same string used as receive in Health Monitor does not work. F5 seems to ignore any character after HTTP/1.1. In sum: Not W...
monitors
Netmart's avatar
Netmart
Icon for Nimbostratus rankNimbostratus

Thank you again.

We continued troubleshooting today.

And by checking logs on server site, we learned that server is sending back a 400. This is why the string of 200 will never be hit in the configured receive string. When drafting the Send string, we following the recommendation in  K2167:

Example send string

GET /index.html HTTP/1.1\r\nHost: host.example.com

 

Customized it:

GET //api/v1/system/services/status?service_names=nae-kmip HTTP/1.1 \r\nConnection: Close

 

But server still sends 400.

Interestingly, when using openssl by using the same link we receive HTTPP code 200:

(echo -e "GET /api/v1/system/services/status?service_names=nae-kmip HTTP/1.1\r\nHost: ...\r\nConnection: Close\r\n\r\n";sleep 1) | openssl s_client -connect ...**.:443

 

 

---

HTTP/1.1 200 OK

Date: Wed, 06 Nov 2024 17:34:10 GMT

Content-Type: application/json; charset=UTF-8

Content-Length: 73

Connection: close

X-Krakend: Version 2.2.0

X-Krakend-Completed: false

X-Processing-Time: 0.000031

X-Request-Id: 7f2830f5-9e4a-4d80-9bc4-1fe2cce2f02f

Expires: Wed, 06 Nov 2024 16:34:10 GMT

Cache-Control: no-cache

X-Frame-Options: DENY

Strict-Transport-Security: max-age=31536000; includeSubdomains; preload

X-XSS-Protection: 1; mode=block

Client-Verify: NONE

X-Content-Type-Options: nosniff

X-Permitted-Cross-Domain-Policies: none

Feature-Policy: geolocation 'none'; camera 'none'; speaker 'none'; microphone 'none';

Referrer-Policy: strict-origin-when-cross-origin

Expect-CT: enforce, max-age=72000

Content-Security-Policy: default-src 'self' blob:;base-uri 'self'; form-action 'self'; frame-ancestors 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none'; img-src 'self' data:;

Cache-Control: no-store

 

{"status":"started","services":[{"name":"nae-kmip","status":"started"}]}

closed

 

 

 

 

 

 

Paulius's avatar
Paulius
Icon for MVP rankMVP
Nov 16, 2024

Netmart You might want to perform a capture on the server side as well as a tcpdump on the F5 side to see exactly what is being sent to the server and why the server is seeing it as a bad request. I did notice that in your customized GET you have double // at the beginning of the path and a space after 1.1. So the following is what you have.

GET //api/v1/system/services/status?service_names=nae-kmip HTTP/1.1 \r\nConnection: Close

You should have the following instead to match the openssl query.

GET /api/v1/system/services/status?service_names=nae-kmip HTTP/1.1\r\nConnection: Close

Notice that the extra / before api is gone.

If this is incorrect in your monitor I can see why this isn't working properly. Have you attempted the same query using curl instead from the F5? I also noticed that you aren't specifying a host field even though HTTP 1.1 does specify a necessity to have a host field entry. Typically if you do not define the host header it will be blank or the F5 will automatically convert it to the IP of the pool member before sending the query. If you do a tcpdump you should be able to see this information being sent if you open it up in wireshark and use the SSL key to decrypt the tcpdump. I believe the following will assist you with decrypting the tcpdump in wireshark.

https://www.comparitech.com/net-admin/decrypt-ssl-with-wireshark/