Forum Discussion
Regex in STREAM::expression
STREAM::expression {@sectionbegin.+sectionend@}
when STREAM_MATCHED {
log local0. "matched: [STREAM::match]"
STREAM::replace "[string map {[^A-Za-z][fF][iI][nN][dD][^A-Za-z] *******} [STREAM::match]]"
}
The difficulty I'm having is getting the regex in STREAM::expression to match over line feeds / carriage returns. I've tried [.\r\n]+, [\s\s]+ and various others without success. I can get the match to work in part if I miss out sectionend from my example but do not match on a line feed.
Any suggestions or the correct regex for this would be most appreciated.
Thanks
Darren C
- Colin_Walker_12Historic F5 AccountCould you post the match that you're trying to use? It sounds like you're trying to include the carriage return in the search, which might be mucking things up a bit. I've never had any problems with the STREAM profile not crossing lines, so I'd like to see what it is you're searching for exactly, if possible.
- Darren_21048NimbostratusHi Colin,
.*>@} - This doesn't break the page
- hoolioCirrostratusI just tested with a simple STREAM::expression rule which matches across new lines:
when HTTP_REQUEST { STREAM::disable } when HTTP_RESPONSE { if {[HTTP::header content-type] starts_with "text"}{ STREAM::expression {@This.*yet@@} STREAM::enable } } when STREAM_MATCHED { log local0. "[STREAM::match]" }
curl 10.1.0.100 < html >< body >< h1 >It works!< /h1 > < p >This is the default web page for this server.< /p > < p >The web server software is running but no content has been added, yet.< /p > < /body >< /html >
curl 10.1.0.15 < html >< body >< h1 >It works!< /h1 > < p >.< /p > < /body >< /html >
< STREAM_MATCHED >: This is the default web page for this server. The web server software is running but no content has been added, yet
- Darren_21048NimbostratusAnother thought, is there a limit to the amount of data that STREAM::match will accept, I've not amended the iRule but the last bit of html I tested against finished on
- hoolioCirrostratusIs it possible that your matching terms are over 4096 bytes apart? This is the default match length that will be buffered:
- Darren_21048NimbostratusI think this is possible as sometimes the pages just break. Looking at your example, I'm basically doing exactly the same thing as your example code so it appears that maybe this isn't due to line feeds.
- hoolioCirrostratusBased on Spark's reply, I think STREAM::max_matchsize should work in LB_SELECTED. I think it's too late to use in STREAM_MATCHED.
- Darren_21048NimbostratusThanks again Aaron, I agree that STREAM_MATCHED would be too late. The volume of data I'm working on is 9964 bytes so definitely larger than the default allowed so I'm pretty sure now that is where the problem lies.
I've added the following to my iRule
when LB_SELECTED {
STREAM::max_matchsize 999999}
This causes no syntax errors but is not resolving the issue, I've tried various smaller sizes also. I also notice that I always get to the same part of the code no matter what I set in this so I'd assume this is 4096 bytes in (though I've not checked that yet). Could the STREAM::disable statements be resetting this setting or something in my logic, if I'm correct iRule events process in the following order - HTTP_REQUEST, LB_SELECTED, HTTP_RESPONSE, STREAM_MATCHED but I've tried disabling the STREAM::disable in HTTP_RESPONSE but still no success.
I'll keep trying and update if I get to the bottom of it but if you've any further ideas, I'd be most grateful.
FYI, here is my current iRule.
when HTTP_REQUEST {
Explicitly disable the stream profile for each request so it doesn't stay
enabled for subsequent HTTP requests on the same TCP connection.
STREAM::disable}
when LB_SELECTED {
STREAM::max_matchsize 999999}
when HTTP_RESPONSE {
HTTP::header remove server
foreach header {Server Date X-Powered-By} {
while { [HTTP::header exists $header] } {
log local0. "Removing- $header: [HTTP::header value $header]"
HTTP::header remove $header
}
}
Disable the stream filter by default
STREAM::disable
Check if response type is text
if {[HTTP::header value Content-Type] contains "text"}{
Match and replace it with nothing
STREAM::expression {@comments.start.here.*>@@}STREAM::expression {@comments.start.here.*comments.end.here>@@}Enable the stream filter for this response only
STREAM::enable
}
}
when STREAM_MATCHED {
log local0. "1st MATCH [STREAM::match]"
Check if the matched string meets some condition that can't easily be checked for using a single regex in STREAM::expression
if {[STREAM::match] contains "Darren"}{
Replace Darren with
XYXYXYand do the replacementSTREAM::replace "[string map {Darren XYXYXY} [STREAM::match]]"
log local0. "[IP::client_addr]:[TCP::local_port]: matched: [STREAM::match], replaced with: [string map {Darren XYXYXY} [STREAM::match]]"
log local0. "2nd MATCH"
}
}
Thanks
Darren
- hoolioCirrostratusHi Darren,
- Darren_21048NimbostratusI've got a ticket on the go with F5 support (raised on Friday last week), I'll update on how it goes. Thanks Darren
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com