Forum Discussion
Unable to download files with http profile assigned to VS
Hi,
I am hoping someone can provide with help with an odd problem we have.
We have recently cut over to F5 content switches and we are load balancing multiple site. Before we where running Cisco CCS without problem.
These site are asp.net coded and when the http profile is assigned to the virtual server we are unable to download files from these sites.
F5 support believe this to be as the download is not RFC compliant. We need the http profile as we are content switching with an irule.
Support tried creating a customer http profile and we tweaked some setting to no avail.
The problem is the developers are saying it is standard download ASP code for an asp.net application which is RFC compliant. Can anyone help or has any advice.
Thanks Matt
- Kevin_StewartEmployee
The HTTP profile is indeed very picky about RFC compliance, so betting that is the problem. It may be possible, depending on an ability to differentiate the download request from other requests, to simply disable the HTTP profile for that request only.
- matthew_b_16251Nimbostratus
I am currently using a irule like to switch the content to the correct server. Could I simply disable the http profile in the irule for all URLS?
Any pointers on what I would need to enter to disable the http profile. The sites seem to work without the profile on the VS.
when HTTP_REQUEST { switch -glob [string tolower [HTTP::uri]] { "/xxxxx*" { pool LegacyIIS } default { pool Main-WS-Pool } }
Thanks Matt
- Kevin_StewartEmployee
The idea would be to simply disable the HTTP profile (put it in "passthrough" mode) for specific conditions. Take a look at the following article for handling webdav:
https://devcentral.f5.com/wiki/iRules.DisablingHTTPProcessingForUnrecognizedHTTPMethods.ashx
And the iRule:
when CLIENT_ACCEPTED { Enable HTTP processing for all requests by default HTTP::enable } when HTTP_REQUEST { selectively disable HTTP processing for specific request methods switch [HTTP::method] { "MOVE" - "COPY" - "LOCK" - "UNLOCK" - "PROPFIND" - "PROPPATCH" - "MKCOL" { HTTP::disable } } }
So if you can distinguish the download request from other requests, you should be able to do similar.
- MVANimbostratus
We had a similar issue but were able to remove the HTTP profile as we didn't have a need for the HTTP profile. The issue as I understood from F5 support, was the F5 wasn't processing a '401 unauthorized' and was kicking our web session back to login page. It was recommended to add a Oneconnect and NTLM profile, but we never did as it was possible for us to remove the HTTP profile altogether.
If you do a trace of your traffic you should be able to see if this is a similar issue.
Hope this helps.
- Kevin_StewartEmployee
If I may add, Mel you're absolutely correct. For one reason or another the HTTP profile is issuing an error. You might also be able to see this error in the LTM log when it happens:
tail -f /var/log/ltm
Whether it's a 401 response, a webdav request, or something else that the HTTP profile doesn't understand, you need to be able to distinguish it from other requests and disable the filter. Worst case, and I mean absolute worst case, you can do the content switching in a TCP or SSL event and remove the HTTP profile completely, but it'll be more work.
- matthew_b_16251Nimbostratus
Thanks for the advice, I will try and work out if I can distinguish the URL in the irule and disable the URL using the HTTP profile.
I may post back if I get stuck. Many Thanks Matt
- matthew_b_16251Nimbostratus
Also just to add we are using SSL offloading I am assuming we can still disable the http profile?
- Kevin_StewartEmployee
Also just to add we are using SSL offloading I am assuming we can still disable the http profile?
Yes you can. If you go with the "no http profile at all" method, you'd need to use SSL::collect and SSL::payload commands, vs. TCP::collect and TCP::payload.
- matthew_b_16251Nimbostratus
Hi, I have found a solution for my problem buy require some help. The code I am using is
when HTTP_REQUEST { if {[HTTP::uri] starts_with "/app01/cDownload.aspx"} { HTTP::disable } }
I have multiple urls to exclude with this rule, how do I add to this. My other method is to create a separate irule for each url which I tested and it works but ideally would like to create one rule with multiple exceptions.
Thanks Matt
- Kevin_StewartEmployee
Try this:
when HTTP_REQUEST { switch -glob [string tolower [HTTP::uri]] { "/app01/cDownload.aspx*" - "/app02*" - "/app03*" - "/app04*" { HTTP::disable } } }
You can also add all of these URLs into a string-based data group:
when HTTP_REQUEST { if { [class match [string tolower [HTTP::uri]] contains my-uri-dg] } { HTTP::disable } }
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com