Evan_25555
Oct 19, 2011Historic F5 Account
Problem with iRule that logs excessive HTTP header lengths
Background:
We had been seeing occasional errors in /var/log/ltm that look like this:
HTTP head (33182) exceeded maximum allowed size of 32768
Before increasing MAX HTTP header size across the board, we thought we'd increase the MAX Header size to 64k (doubling it), on one of our VIPs and create an iRule to log HTTP Headers when the total length of them exceeds 32768.
When the threshold is set much higher than 15000, we see TMM errors associated with the iRule( http-header-size) that look like this:
Oct 19 09:16:31 local/tmm3 err tmm3[6715]: 01220001:3: TCL error: http-header-size - Not found (line 1) invoked from within "HTTP::header names"
When the threshold is set low, the iRule works correctly and we see log entries that look like this:
Oct 19 12:29:17 local/tmm5 info tmm5[6717]: Rule http-header-size : Header length = 1311 Oct 19 12:29:17 local/tmm5 info tmm5[6717]: Rule http-header-size : Accept (164): image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */* Oct 19 12:29:17 local/tmm5 info tmm5[6717]: Rule http-header-size : Referer (33):
and so forth
Can anyone offer any insights as to why the iRule fails when the logging threshold is set above 10000 or so?
Here's the iRule - please forgive the formatting
when HTTP_REQUEST {
Loop through each header by name
set count 0
foreach aHeader [HTTP::header names] {
incr count [string length [HTTP::header value $aHeader]]
}
if {$count > 32768} {
Log details for the request
log local0. "Header length = $count"
foreach aHeader [HTTP::header names] { log local0. "$aHeader ([string length [HTTP::header value $aHeader]]): [HTTP::header value $aHeader]"
}
}
}