cancel
Showing results for 
Search instead for 
Did you mean: 

Unable to download files with http profile assigned to VS

matthew_b_16251
Nimbostratus
Nimbostratus

Hi,

 

I am hoping someone can provide with help with an odd problem we have.

 

We have recently cut over to F5 content switches and we are load balancing multiple site. Before we where running Cisco CCS without problem.

 

These site are asp.net coded and when the http profile is assigned to the virtual server we are unable to download files from these sites.

 

F5 support believe this to be as the download is not RFC compliant. We need the http profile as we are content switching with an irule.

 

Support tried creating a customer http profile and we tweaked some setting to no avail.

 

The problem is the developers are saying it is standard download ASP code for an asp.net application which is RFC compliant. Can anyone help or has any advice.

 

Thanks Matt

 

11 REPLIES 11

Kevin_Stewart
F5 Employee
F5 Employee

The HTTP profile is indeed very picky about RFC compliance, so betting that is the problem. It may be possible, depending on an ability to differentiate the download request from other requests, to simply disable the HTTP profile for that request only.

 

matthew_b_16251
Nimbostratus
Nimbostratus

I am currently using a irule like to switch the content to the correct server. Could I simply disable the http profile in the irule for all URLS?

 

Any pointers on what I would need to enter to disable the http profile. The sites seem to work without the profile on the VS.

 

when HTTP_REQUEST { switch -glob [string tolower [HTTP::uri]] { "/xxxxx*" { pool LegacyIIS } default { pool Main-WS-Pool } }

 

Thanks Matt

 

Kevin_Stewart
F5 Employee
F5 Employee

The idea would be to simply disable the HTTP profile (put it in "passthrough" mode) for specific conditions. Take a look at the following article for handling webdav:

 

https://devcentral.f5.com/wiki/iRules.DisablingHTTPProcessingForUnrecognizedHTTPMethods.ashx

 

And the iRule:

 

when CLIENT_ACCEPTED { Enable HTTP processing for all requests by default HTTP::enable } when HTTP_REQUEST { selectively disable HTTP processing for specific request methods switch [HTTP::method] { "MOVE" - "COPY" - "LOCK" - "UNLOCK" - "PROPFIND" - "PROPPATCH" - "MKCOL" { HTTP::disable } } }

So if you can distinguish the download request from other requests, you should be able to do similar.

 

MVA
Nimbostratus
Nimbostratus

We had a similar issue but were able to remove the HTTP profile as we didn't have a need for the HTTP profile. The issue as I understood from F5 support, was the F5 wasn't processing a '401 unauthorized' and was kicking our web session back to login page. It was recommended to add a Oneconnect and NTLM profile, but we never did as it was possible for us to remove the HTTP profile altogether.

 

If you do a trace of your traffic you should be able to see if this is a similar issue.

 

Hope this helps.

 

Kevin_Stewart
F5 Employee
F5 Employee

If I may add, Mel you're absolutely correct. For one reason or another the HTTP profile is issuing an error. You might also be able to see this error in the LTM log when it happens:

 

tail -f /var/log/ltm

Whether it's a 401 response, a webdav request, or something else that the HTTP profile doesn't understand, you need to be able to distinguish it from other requests and disable the filter. Worst case, and I mean absolute worst case, you can do the content switching in a TCP or SSL event and remove the HTTP profile completely, but it'll be more work.

 

matthew_b_16251
Nimbostratus
Nimbostratus

Thanks for the advice, I will try and work out if I can distinguish the URL in the irule and disable the URL using the HTTP profile.

 

I may post back if I get stuck. Many Thanks Matt

 

matthew_b_16251
Nimbostratus
Nimbostratus

Also just to add we are using SSL offloading I am assuming we can still disable the http profile?

 

Kevin_Stewart
F5 Employee
F5 Employee

Also just to add we are using SSL offloading I am assuming we can still disable the http profile?

 

Yes you can. If you go with the "no http profile at all" method, you'd need to use SSL::collect and SSL::payload commands, vs. TCP::collect and TCP::payload.

 

matthew_b_16251
Nimbostratus
Nimbostratus

Hi, I have found a solution for my problem buy require some help. The code I am using is

 

when HTTP_REQUEST { if {[HTTP::uri] starts_with "/app01/cDownload.aspx"} { HTTP::disable } }

 

I have multiple urls to exclude with this rule, how do I add to this. My other method is to create a separate irule for each url which I tested and it works but ideally would like to create one rule with multiple exceptions.

 

Thanks Matt

 

Kevin_Stewart
F5 Employee
F5 Employee

Try this:

 

when HTTP_REQUEST { switch -glob [string tolower [HTTP::uri]] { "/app01/cDownload.aspx*" - "/app02*" - "/app03*" - "/app04*" { HTTP::disable } } }

You can also add all of these URLs into a string-based data group:

 

when HTTP_REQUEST { if { [class match [string tolower [HTTP::uri]] contains my-uri-dg] } { HTTP::disable } }

matthew_b_16251
Nimbostratus
Nimbostratus

The above code works when I omit the * on my urls, I am assuming the urls needs to be lowercase. Thanks for all you help, I need to get some testing done on this but the users are going to be able to work again. Thanks Matt