Forum Discussion

René_Posthumus's avatar
René_Posthumus
Icon for Altostratus rankAltostratus
Nov 20, 2019

Need to rewrite a 500 status to 200, but how ?

Hi,

 

We have some applications depending on .NET framework that send normal messages like "username does not exist" with a response code 500, while these are legit responses. It seems to have something to do with .NET framework that is not highly configurable, so we want to rewrite the HTTP::status to 200.

 

I found an article that does something like it but it looks like too much overhead. It just has to alter the status codes. https://devcentral.f5.com/s/articles/convert-404s-to-blank-200s

 

When i use the article above, the page is sent as a download to the client so is not a solution.

 

Can anybody help me out ?

application delivery
iRules
LTM

3 Replies

Sort By
  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    Nov 20, 2019

    An HTTP 500 status is an internal error status, and would not usually contain a html payload for display.

     

    What is the content type and payload of the 500 response?

     

    That iRule is the best option, but the actual HTTP::payload probably isn't something that you can send back to the client (unlike a 404, where the response body is expected to be valid HTML).

     

    You can craft a 200 response, but may need to wrap the HTTP::payload in some suitable HTML tags to get then to display properly.

    • René_Posthumus's avatar
      René_Posthumus
      Icon for Altostratus rankAltostratus
      Nov 21, 2019

       

      Hi S,

       

      The payload is just text/html but i'm not that handy with iRules to be able to construct such a response. Can you ?

       

      HTTP/1.1 500 Internal Server Error

      Cache-Control: private

      Content-Type: text/html; charset=utf-8

      X-AspNet-Version: 4.0.30319

      X-Frame-Options: SAMEORIGIN

      Date: Thu, 21 Nov 2019 06:46:55 GMT

      Content-Length: 17554

      X-Content-Type-Options: nosniff

      X-XSS-Protection: 1;mode=block

      Strict-Transport-Security: max-age=31536000

      <!DOCTYPE html>

      <html>

      (content)

      </html>

      • Simon_Blakely's avatar
        Simon_Blakely
        Icon for Employee rankEmployee
        Nov 21, 2019

        I don't see why that wouldn't work, but disabling chunking on the request might interfere with the application ...

        # iRule to convert 500s to 200s
when HTTP_REQUEST {
  # Don't allow data to be chunked
  if { [HTTP::version] eq "1.1" } {
    if { [HTTP::header is_keepalive] } {
      HTTP::header replace "Connection" "Keep-Alive"
    }
     HTTP::version "1.0"
  }
}
when HTTP_RESPONSE {
   # grab response of a 500
   if {[HTTP::status] == 500}{
      HTTP::collect [HTTP::header Content-Length]
   }
}
 
when HTTP_RESPONSE_DATA {
   # change response to 200 and send
   HTTP::respond 200 content [HTTP::payload] "Content-Length" [HTTP::header Content-Length] "Content-Type" "text/html"
}

        Just a comment on the wisdom of replacing a status 500 with a status 200 - I know it's your your web application, but application frameworks use a specific response for a reason - if you get a 500 error response, it should only be because the server context is now broken and nothing further should be attempted. It's not like a 401 Authentication Required where the application can proceed with additional credentials.

        And leaking information like that (username does not exist) is just asking to be abused by an attacker. I'd think very carefully before making that sort of change.