Forum Discussion
Netmart
Nimbostratus
NimbostratusHTTPS Monitor Health - Receive String 200 OK Not Working
Hello,
Though we receive in https response header "HTTP/1.1 200 OK", the same string used as receive in Health Monitor does not work. F5 seems to ignore any character after HTTP/1.1.
In sum:
Not Working:
HTTP/1.1 200 OK
HTTP/1.1\s200
HTTP/1\.(0|1)
HTTP/1\.(0|1) (200)
HTTP/1\.(0|1)\s200
HTTP/1.1 200 OK
HTTP/1.1\s200\sOK
200
Only Working:
==> HTTP/1.1
==> OK||200
==> <bank>
Type: https, Alias Service port 443.
VIP is using TCP profile.
Extract from openssl capture
:
---
HTTP/1.1 200 OK
Date: Wed, 06 Nov 2024 23:52:28 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 153
Connection: close
X-Krakend: Version 2.2.0
X-Krakend-Completed: false
X-Processing-Time: 0.000029
X-Request-Id: e187dac8-20f7-43fd-b99a-6e4671b7f8e6
Expires: Wed, 06 Nov 2024 22:52:28 GMT
Cache-Control: no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-XSS-Protection: 1; mode=block
Client-Verify: NONE
X-Content-Type-Options: nosniff
X-Permitted-Cross-Domain-Policies: none
Feature-Policy: geolocation 'none'; camera 'none'; speaker 'none'; microphone 'none';
Referrer-Policy: strict-origin-when-cross-origin
Expect-CT: enforce, max-age=72000
Content-Security-Policy: default-src 'self' blob:;base-uri 'self'; form-action 'self'; frame-ancestors 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none'; img-src 'self' data:;
Cache-Control: no-store
closed
NetmartThank you Paulius.
When we took a capture the Self IP of F5 is used as source.
Testing with OpenSSL we get a 200 in response header:
(echo -e "GET / HTTP/1.1\r\nHost: <F5 VIP>\r\nConnection: Close\r\n\r\n";sleep 1) | openssl s_client -connect <Real IP of Pool>:443
We made sure to use the proper format - one slash "/"
Regards.
Netmart
- Netmart
Thank you again.
We continued troubleshooting today.
And by checking logs on server site, we learned that server is sending back a 400. This is why the string of 200 will never be hit in the configured receive string. When drafting the Send string, we following the recommendation in K2167:
Example send string
GET /index.html HTTP/1.1\r\nHost: host.example.com
Customized it:
GET //api/v1/system/services/status?service_names=nae-kmip HTTP/1.1 \r\nConnection: Close
But server still sends 400.
Interestingly, when using openssl by using the same link we receive HTTPP code 200:
(echo -e "GET /api/v1/system/services/status?service_names=nae-kmip HTTP/1.1\r\nHost: ...\r\nConnection: Close\r\n\r\n";sleep 1) | openssl s_client -connect ...**.:443
---
HTTP/1.1 200 OK
Date: Wed, 06 Nov 2024 17:34:10 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 73
Connection: close
X-Krakend: Version 2.2.0
X-Krakend-Completed: false
X-Processing-Time: 0.000031
X-Request-Id: 7f2830f5-9e4a-4d80-9bc4-1fe2cce2f02f
Expires: Wed, 06 Nov 2024 16:34:10 GMT
Cache-Control: no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-XSS-Protection: 1; mode=block
Client-Verify: NONE
X-Content-Type-Options: nosniff
X-Permitted-Cross-Domain-Policies: none
Feature-Policy: geolocation 'none'; camera 'none'; speaker 'none'; microphone 'none';
Referrer-Policy: strict-origin-when-cross-origin
Expect-CT: enforce, max-age=72000
Content-Security-Policy: default-src 'self' blob:;base-uri 'self'; form-action 'self'; frame-ancestors 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none'; img-src 'self' data:;
Cache-Control: no-store
{"status":"started","services":[{"name":"nae-kmip","status":"started"}]}
closed
- Paulius
MVP
Netmart You might want to perform a capture on the server side as well as a tcpdump on the F5 side to see exactly what is being sent to the server and why the server is seeing it as a bad request. I did notice that in your customized GET you have double // at the beginning of the path and a space after 1.1. So the following is what you have.
GET //api/v1/system/services/status?service_names=nae-kmip HTTP/1.1 \r\nConnection: Close
You should have the following instead to match the openssl query.
GET /api/v1/system/services/status?service_names=nae-kmip HTTP/1.1\r\nConnection: Close
Notice that the extra / before api is gone.
If this is incorrect in your monitor I can see why this isn't working properly. Have you attempted the same query using curl instead from the F5? I also noticed that you aren't specifying a host field even though HTTP 1.1 does specify a necessity to have a host field entry. Typically if you do not define the host header it will be blank or the F5 will automatically convert it to the IP of the pool member before sending the query. If you do a tcpdump you should be able to see this information being sent if you open it up in wireshark and use the SSL key to decrypt the tcpdump. I believe the following will assist you with decrypting the tcpdump in wireshark.
https://www.comparitech.com/net-admin/decrypt-ssl-with-wireshark/
- Netmart
Thank you Akonu.
I am aware of this document and tried the following without any progress:
Receive String: HTTP/1.1 200 OKNot Working:HTTP/1.1 200 OKHTTP/1.1\s200HTTP/1\.(0|1)HTTP/1\.(0|1) (200)HTTP/1\.(0|1)\s200HTTP/1.1 200 OKHTTP/1.1\s200\sOK200Only Working:==> HTTP/1.1==> OK||200==> <bank>And I verified via curl/openssl the HTTPS Response header: HTTP/1.1 200 OK:---HTTP/1.1 200 OKDate: Wed, 06 Nov 2024 23:52:28 GMTContent-Type: application/json; charset=UTF-8Content-Length: 153Connection: closeX-Krakend: Version 2.2.0X-Krakend-Completed: falseX-Processing-Time: 0.000029X-Request-Id: e187dac8-20f7-43fd-b99a-6e4671b7f8e6Expires: Wed, 06 Nov 2024 22:52:28 GMTCache-Control: no-cacheX-Frame-Options: DENYStrict-Transport-Security: max-age=31536000; includeSubdomains; preloadX-XSS-Protection: 1; mode=blockClient-Verify: NONEX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneFeature-Policy: geolocation 'none'; camera 'none'; speaker 'none'; microphone 'none';Referrer-Policy: strict-origin-when-cross-originExpect-CT: enforce, max-age=72000Content-Security-Policy: default-src 'self' blob:;base-uri 'self'; form-action 'self'; frame-ancestors 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none'; img-src 'self' data:;Cache-Control: no-store{"status":"starting","services":[{"name":"nae-kmip","status":"started"}],"messages":["all services ok, waiting 1m0s for services to continue to be ok"]}closedThanks
akonuModerator
From your update, you said the 200 does not work. if that is the case, your server could be responding to the health probes with a different status code other than 200. Can I ask that you verify the output of the monitor using the guide below.( please use the same string as the monitor send string)
K81239024: Testing HTTP/HTTPS Monitor Send String using openssl s_client and netcat (nc)
https://my.f5.com/manage/s/article/K81239024
Hope this helps.
- akonu
The HTTP monitor, include a Receive String field. This field specifies a string for comparison with the server response. The health monitors that support regular expressions are HTTP, HTTPS, TCP, and UDP. In some cases, the string 200 OK works as most servers respond with this status code.
I found an article that could help answer your question on our myf5 portal, please click on the links below
K5917: Using regular expressions in a health monitor receive string
https://my.f5.com/manage/s/article/K5917
I hope this helps.
