For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Deb_Allen_18's avatar
Deb_Allen_18
Historic F5 Account
May 05, 2006

Redirect sends "Connection: Keep-Alive" header

Using a basic HTTP redirect statement:

if { blah }{
HTTP::redirect https://$host:$newport[HTTP::uri]
return
}

we're seing an HTTP 1.0 response with a Keep-Alive header, even though the client didn't request keepalives:

curl -v http://host.domain.com

* About to connect() to host.domain.com port 80

* Trying 10.10.10.100... connected

* Connected to host.domain.com (10.10.10.100) port 80

> GET / HTTP/1.1

> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

> Host: host.domain.com:80

> Accept: */*

>

< HTTP/1.0 302 Found

< Location: https://host.domain.com/

< Server: BIG-IP

* HTTP/1.0 connection set to keep alive!

< Connection: Keep-Alive

< Content-Length: 0

* Connection 0 to host host.domain.com left intact

* Closing connection 0

Seems odd, and totally unnecessary for a redirect, so we'd like to eliminate the Keepalive option completely and close the connection immediately.

Can we somehow suppress the Connection: header?

Send Connection: Close instead?

Or do we have to do something like "reject" the connection immediately following the redirect?

if { blah }{
HTTP::redirect https://$host:$newport[HTTP::uri]
reject
return
}

???

thanks!

/deb
application delivery
dev
devops
iRules

8 Replies

  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    May 05, 2006
    While you could do a HTTP::header Replace and replace the Connection header to set the value to "close", this wouldn't get you very far. The "close" value wasn't supported in HTTP 1.0. It wasn't until 1.1. that the Connection header makes use of the close value.

    You could, however, try removing the connection header if you are seeing unwanted results due to the keep-alive value being set.

    Like:

    
HTTP::header Remove Connection

    I'd be interested to hear what problems you're seeing, though, by having the keep-alive value set between the BIG-IP and the client.

    Colin
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    May 05, 2006
    Customer says they are seeing the connection kept alive on the BIG-IP end, closing after the timeout when the client never sends another request.

    HTTP::header insert Connection Close
    and 
    HTTP::header replace Connection Close
    and 
    HTTP::header remove Connection
    all affect the inbound header with no effect on the BIG-IP response

    It seems logical that insert / replace / remove can't affect the HTTP::redirect command after it's been issued. Placing the header remove command in HTTP_RESPONSE also didn't work, I'm assuming because that is triggered by a server response, and with a redirect, there is none.

    HTTP::respond 302 Location http://www.google.com/ Connection Close
    results in both a Connection: Keep-Alive header and a Connection: Close header.

    We'd also like to modify the Server: header in the redirect, if possible, to something other than "BIG-IP"...

    thanks!

    /deb
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    May 05, 2006
    I've set up a simple redirect rule for testing, and I have to say /I/ can't see that the connection is actually kept alive on BIG-IP...

     

     

    If I don't see any connection to BIG-IP from my client in netstat -an other than my ssh connection, doesn't that mean the BIG-IP is really closing the connection?
  • bl0ndie_127134's avatar
    bl0ndie_127134
    Historic F5 Account
    May 05, 2006
    NOTE: Big IP will send a close only if the client sends a non keep alive request. Why don't you set the idle timeout to a small value after you send the redirect. That way the client can re-use the connection if it chooses to do so and the connection won't linger too long if it doesn't.
  • Jason_Reed_4703's avatar
    Jason_Reed_4703
    Historic F5 Account
    Jan 07, 2015

    I had a customer run into this, where we found the newer browsers performed TCP Keep-Alives that would reset the TCP idle timeout every 10~45 seconds. I poked around and couldn't get the Connection: Keep-Alive header removed or replaced, so I ended up not using the built in HTTP::redirect, and instead simply used:

    when HTTP_REQUEST {
 if { [HTTP::uri] contains "secure"}
 {
       HTTP::respond 302 conent {
Location: https://secure.company.com
Server: BigIP
Connection: Close
Content-Length: 0

       }
       return
  }
}
    • Georgi__Joe__St's avatar
      Georgi__Joe__St
      Icon for Altostratus rankAltostratus
      Dec 22, 2015
      I think you should use: HTTP::respond 302 noserver -reset Connection close Location https://google.com
  • Jason_Reed's avatar
    Jason_Reed
    Ret. Employee
    Jan 07, 2015

    I had a customer run into this, where we found the newer browsers performed TCP Keep-Alives that would reset the TCP idle timeout every 10~45 seconds. I poked around and couldn't get the Connection: Keep-Alive header removed or replaced, so I ended up not using the built in HTTP::redirect, and instead simply used:

    when HTTP_REQUEST {
 if { [HTTP::uri] contains "secure"}
 {
       HTTP::respond 302 conent {
Location: https://secure.company.com
Server: BigIP
Connection: Close
Content-Length: 0

       }
       return
  }
}
    • Georgi__Joe__St's avatar
      Georgi__Joe__St
      Icon for Altostratus rankAltostratus
      Dec 22, 2015
      I think you should use: HTTP::respond 302 noserver -reset Connection close Location https://google.com