Unable to download files with http profile assigned to VS

The HTTP profile is indeed very picky about RFC compliance, so betting that is the problem. It may be possible, depending on an ability to differentiate the download request from other requests, to simply disable the HTTP profile for that request only.

I am currently using a irule like to switch the content to the correct server. Could I simply disable the http profile in the irule for all URLS?

Any pointers on what I would need to enter to disable the http profile. The sites seem to work without the profile on the VS.

when HTTP_REQUEST { switch -glob [string tolower [HTTP::uri]] { "/xxxxx*" { pool LegacyIIS } default { pool Main-WS-Pool } }

Thanks Matt

The idea would be to simply disable the HTTP profile (put it in "passthrough" mode) for specific conditions. Take a look at the following article for handling webdav:

https://devcentral.f5.com/wiki/iRules.DisablingHTTPProcessingForUnrecognizedHTTPMethods.ashx

And the iRule:

when CLIENT_ACCEPTED {
     Enable HTTP processing for all requests by default
    HTTP::enable
}
when HTTP_REQUEST {
     selectively disable HTTP processing for specific request methods
    switch [HTTP::method] {
        "MOVE" -
        "COPY" -
        "LOCK" -
        "UNLOCK" -
        "PROPFIND" -
        "PROPPATCH" -
        "MKCOL" { HTTP::disable }
    }
}

So if you can distinguish the download request from other requests, you should be able to do similar.

We had a similar issue but were able to remove the HTTP profile as we didn't have a need for the HTTP profile. The issue as I understood from F5 support, was the F5 wasn't processing a '401 unauthorized' and was kicking our web session back to login page. It was recommended to add a Oneconnect and NTLM profile, but we never did as it was possible for us to remove the HTTP profile altogether.

If you do a trace of your traffic you should be able to see if this is a similar issue.

Hope this helps.

If I may add, Mel you're absolutely correct. For one reason or another the HTTP profile is issuing an error. You might also be able to see this error in the LTM log when it happens:

tail -f /var/log/ltm

Whether it's a 401 response, a webdav request, or something else that the HTTP profile doesn't understand, you need to be able to distinguish it from other requests and disable the filter. Worst case, and I mean absolute worst case, you can do the content switching in a TCP or SSL event and remove the HTTP profile completely, but it'll be more work.

Thanks for the advice, I will try and work out if I can distinguish the URL in the irule and disable the URL using the HTTP profile.

I may post back if I get stuck. Many Thanks Matt

Also just to add we are using SSL offloading I am assuming we can still disable the http profile?

Also just to add we are using SSL offloading I am assuming we can still disable the http profile?

Yes you can. If you go with the "no http profile at all" method, you'd need to use SSL::collect and SSL::payload commands, vs. TCP::collect and TCP::payload.

Hi, I have found a solution for my problem buy require some help. The code I am using is

when HTTP_REQUEST { if {[HTTP::uri] starts_with "/app01/cDownload.aspx"} { HTTP::disable } }

I have multiple urls to exclude with this rule, how do I add to this. My other method is to create a separate irule for each url which I tested and it works but ideally would like to create one rule with multiple exceptions.

Thanks Matt

Try this:

when HTTP_REQUEST { 
    switch -glob [string tolower [HTTP::uri]] {
        "/app01/cDownload.aspx*" -
        "/app02*" -
        "/app03*" -
        "/app04*" {
            HTTP::disable 
        } 
    }
}

You can also add all of these URLs into a string-based data group:

when HTTP_REQUEST {
    if { [class match [string tolower [HTTP::uri]] contains my-uri-dg] } {
        HTTP::disable
    }
}