For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Moritz_Krinke_6's avatar
Moritz_Krinke_6
Icon for Nimbostratus rankNimbostratus
Jul 10, 2009

Payload Manipulation https / http

Hello,

 

 

i've got a ssl cert installed on a virtual server, traffic goes to the pool members unencrypted.

 

 

im trying to modify the payload of the answer, doing a simple replacement.

 

 

when HTTP_RESPONSE_DATA {

 

regsub "somestring" [HTTP::payload] "foobar" newdata

 

set clen [string length newdata]

 

log local0. "$newdata"

 

HTTP::payload replace 0 $clen $newdata

 

HTTP::release

 

}

 

 

when im trying to access the page, my firefox tells me the server is using some kind of unknown compression and it can therefore not display the page.

 

 

in the f5 logfile i've got just some binary data.

 

 

is the http_response_data maybe called after the payload got processed through ssl encryption and so gets destroyed by the replacement?

 

 

Any Help would be appreciated :-)

 

 

Thanks, Moritz
application delivery
dev
devops
iRules

3 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 10, 2009
    Hi Moritz,

    I'd suggest using a stream profile and STREAM::expression based iRule to do this instead of trying to buffer the payload with HTTP::collect / HTTP::payload.

    Here is an example: 

     
 http://devcentral.f5.com/wiki/default.aspx/iRules/stream__expression 
 when HTTP_RESPONSE { 
  
     Disable the stream filter by default 
    STREAM::disable 
  
     Check if response type is text 
    if {[HTTP::header value Content-Type] contains "text"}{ 
  
        Replace somestring with foobar 
       STREAM::expression "@somestring@foobar@" 
  
        Enable the stream filter for this response only 
       STREAM::enable 
    } 
 }

    Aaron
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 10, 2009
    What are the symptoms of the issue?

     

     

    Do you get a response back from the VIP, but it doesn't have the response rewritten? If so, you could check the configuration of the stream expression. It is case sensitive. Another possibility is that response compression is enabled on the server. You can either disable it on the server or add code to the iRule to remove the Accept request header. This prevents the server from sending compressed responses.

     

     

    Do you get a page cannot be displayed message in the browser? If so, this is probably indicative of LTM sending a TCP reset to the client. This could be due to a TCL error. You can check the /var/log/ltm log file for details.

     

     

    Else, is there another symptom?

     

     

    Aaron
  • Moritz_Krinke_6's avatar
    Moritz_Krinke_6
    Icon for Nimbostratus rankNimbostratus
    Jul 13, 2009
    Aaron,

     

     

    got it - after i edited the irule to remove the accept request header like you suggested, it worked - since i had compression enabled on all the servers servern the www-content.

     

     

    thanks a lot!