Forum Discussion

AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus
Jul 22, 2022

What irule event captures http::respond or 503 generated by the F5

Hi

 

I use irules to log requests and responses

problem is http::response and actions done by the F5 are not captured.

 

I have irule at  HTTP_RESPONSE_RELEASE and HTTP_RESPONSE

 

Neither fire, how can I do this ?

 

LTM
security
  • PeteWhite's avatar
    PeteWhite
    Jul 28, 2022

    If, for instance, there is an iRule which sends a response in the HTTP_REQUEST event then this will not fire the HTTP_RESPONSE event as you say ( because that fires for serverside responses ).

    I don't know how to get around this other than to use the HTTP::has_responded command https://clouddocs.f5.com/api/irules/HTTP__has_responded.html and create a log if a response has been sent. 

  • StephanManthey's avatar
    StephanManthey
    Icon for MVP rankMVP
    Jul 22, 2022

    Hi AlexS_yb I just validated your observation with the following iRule under TMOS v15.1.6.1:

    when HTTP_REQUEST {
  log local0. "irule=\"rule_respond_monitor\",virtual=\"[virtual name]\",http_host=\"[HTTP::host]\",http_path=\"[HTTP::path]\""
  HTTP::respond 200 content "hello world\r\n" noserver Connection Close
  return
}
when HTTP_RESPONSE {
  log local0. "irule=\"rule_respond_monitor\",virtual=\"[virtual name]\",http_status=\"[HTTP::status]\",server_header=\"[HTTP::header value Server]\""
}
when HTTP_RESPONSE_RELEASE {
  log local0. "irule=\"rule_respond_monitor\",virtual=\"[virtual name]\",http_status=\"[HTTP::status]\",server_header=\"[HTTP::header value Server]\""
}

    You probably have to go down on TCP::payload or SSL::payload after firing TCP::collect or SSL::collect.

    Another solution would be to cascade virtual servers. So the "frontend" virtual will just use the virtual statement to forward all traffic to the "backend" virtual. Now the iRule bound to the "frontend" virtual will capture the requested information.

    • AlexS_yb's avatar
      AlexS_yb
      Icon for Cirrocumulus rankCirrocumulus
      Jul 22, 2022

      Not sure tcp::collect will work as there is no data from the pool / server. If it generates from the F5 or is from http::respond

       

      Its a bit annoying.

      as

      HTTP_RESPONSE

      states 

      Note: HTTP_RESPONSE is specific to a server response passing through the load balancer, and is not triggered for locally-generated responses (e.g. sent using the HTTP::respond command)

      and 

      HTTP_RESPONSE_RELEASE

      An iRule event triggered when the system is about to release HTTP data on the clientside of the connection. This event is triggered after modules process the HTTP response.

       

      I sort of read that as saying it gets all and it didn't sasy it doesn't get the http::respond ones

       

       

  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Jul 28, 2022

    If, for instance, there is an iRule which sends a response in the HTTP_REQUEST event then this will not fire the HTTP_RESPONSE event as you say ( because that fires for serverside responses ).

    I don't know how to get around this other than to use the HTTP::has_responded command https://clouddocs.f5.com/api/irules/HTTP__has_responded.html and create a log if a response has been sent. 

    • AlexS_yb's avatar
      AlexS_yb
      Icon for Cirrocumulus rankCirrocumulus
      Jul 28, 2022

      Actually thats a pretty good way of doing it set priority really low and pick it up that way.

      Hadn't thought of that.

       

      I think its a bug, that it doesn't fire the other events.