Forum Discussion
Leslie_Hubertus
Ret. Employee
Tagging AubreyKingF5 again for his technical expertise...
P_Kueppers
Sep 27, 2022MVP
Thanks, hopefully he can help me out... maybe i need to deploy something like this on all vservers to find that black sheep
when HTTP_REQUEST {
#Check if the request is a POST, with a content type of text and size over 10MB
if {[HTTP::has_responded]} {
return
}
elseif {[HTTP::method] eq "POST"}{
if {[HTTP::header value "Content-Type"] contains "xml" or [HTTP::header value "Content-Type"] contains "json"}{
if {[HTTP::header value "Content-Length"] >= 10000000}{
log local0. "This is the HTTP Path: [HTTP::path]"
log local0. "Client [IP::client_addr] This is the HTTP Host [HTTP::host]"
log local0. "Client [IP::client_addr] accessed [virtual]"
log local0. "Query string of URI: [HTTP::uri] is [URI::query [HTTP::uri]]"
log local0. "HTTP Content Length Header = [HTTP::header value "content-length"]"
log local0. "HTTP Content Type Header = [HTTP::header value "content-type"]"
}
}
}
}
- AubreyKingF5Sep 27, 2022Admin
Not a bad plan. Can you show me the tmsh out for the http profile? I take it you're not doing anything fancy like HTTP2?
- P_KueppersSep 28, 2022MVP
Pretty default I would say
We have some http/2 servers active:
ltm profile http2 Standard_http2_profile { app-service none concurrent-streams-per-connection 100 connection-idle-timeout 60 defaults-from http2 } ltm profile http2 http2 { activation-modes { alpn } app-service none concurrent-streams-per-connection 10 connection-idle-timeout 300 enforce-tls-requirements enabled frame-size 2048 header-table-size 4096 include-content-length disabled insert-header disabled insert-header-name X-HTTP2 receive-window 32 write-size 16384 }
But most is http/1.2
ltm profile http SecureWEB_http { app-service none defaults-from http enforcement { known-methods { CONNECT DELETE GET HEAD LOCK OPTIONS POST PROPFIND PUT UNLOCK } } header-insert X-Forwarded-Proto:https hsts { maximum-age 31536000 mode enabled } insert-xforwarded-for enabled proxy-type reverse redirect-rewrite all server-agent-name LB } ltm profile http http { accept-xff disabled app-service none basic-auth-realm none encrypt-cookies none enforcement { known-methods { CONNECT DELETE GET HEAD LOCK OPTIONS POST PROPFIND PUT TRACE UNLOCK } max-header-count 64 max-header-size 32768 max-requests 0 pipeline allow truncated-redirects disabled unknown-method allow } fallback-host none fallback-status-codes none header-erase none header-insert none hsts { include-subdomains enabled maximum-age 16070400 mode disabled preload disabled } insert-xforwarded-for disabled lws-separator none lws-width 80 oneconnect-status-reuse "200 206" oneconnect-transformations enabled proxy-type reverse redirect-rewrite none request-chunking preserve response-chunking selective response-headers-permitted none server-agent-name LB sflow { poll-interval 0 poll-interval-global no sampling-rate 0 sampling-rate-global no } via-request preserve via-response preserve xff-alternative-names none }
- P_KueppersSep 30, 2022MVP
Okay I maybe give up. Should I raise a support ticket? I put the iRule Logging on every vserver I think of such uploads but there were only one match in the near of a event log but that cant be a problem:
Sep 30 14:59:22 .dmz.local info tmm1[21243]: Rule /Common/URL_Logging <HTTP_REQUEST>: HTTP Content Length Header = 11019932 Sep 30 14:59:22 .dmz.local info tmm1[21243]: Rule /Common/URL_Logging <HTTP_REQUEST>: HTTP Content Type Header = application/soap+xml; charset=utf-8 BD_XML|ERR |Sep 30 15:03:51.849|26888|xml_validation.cpp:0244|Cannot allocate 19503077 more bytes for XML parser. current memory size 1008875463 (in bytes)
And 4 min later;
Broadcast message from systemd-journald@.dmz.local (Fri 2022-09-30 15:03:52 CEST): perl[26640]: 01310003:0: ASM out of memory error: event code X242 Exceeded maximum memory assigned for XML/JSON processing 2022 Sep 30 15:03:52 .dmz.local perl[26640]: 01310003:0: ASM out of memory error: event code X242 Exceeded maximum memory assigned for XML/JSON processing