Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

What irule event captures http::respond or 503 generated by the F5

AlexS_yb
Cirrocumulus
Cirrocumulus

Hi

 

I use irules to log requests and responses

problem is http::response and actions done by the F5 are not captured.

 

I have irule at  HTTP_RESPONSE_RELEASE and HTTP_RESPONSE

 

Neither fire, how can I do this ?

 

1 ACCEPTED SOLUTION

PeteWhite
F5 Employee
F5 Employee

If, for instance, there is an iRule which sends a response in the HTTP_REQUEST event then this will not fire the HTTP_RESPONSE event as you say ( because that fires for serverside responses ).

I don't know how to get around this other than to use the HTTP::has_responded command https://clouddocs.f5.com/api/irules/HTTP__has_responded.html and create a log if a response has been sent. 

View solution in original post

4 REPLIES 4

Hi @AlexS_yb I just validated your observation with the following iRule under TMOS v15.1.6.1:

when HTTP_REQUEST {
  log local0. "irule=\"rule_respond_monitor\",virtual=\"[virtual name]\",http_host=\"[HTTP::host]\",http_path=\"[HTTP::path]\""
  HTTP::respond 200 content "hello world\r\n" noserver Connection Close
  return
}
when HTTP_RESPONSE {
  log local0. "irule=\"rule_respond_monitor\",virtual=\"[virtual name]\",http_status=\"[HTTP::status]\",server_header=\"[HTTP::header value Server]\""
}
when HTTP_RESPONSE_RELEASE {
  log local0. "irule=\"rule_respond_monitor\",virtual=\"[virtual name]\",http_status=\"[HTTP::status]\",server_header=\"[HTTP::header value Server]\""
}

You probably have to go down on TCP::payload or SSL::payload after firing TCP::collect or SSL::collect.

Another solution would be to cascade virtual servers. So the "frontend" virtual will just use the virtual statement to forward all traffic to the "backend" virtual. Now the iRule bound to the "frontend" virtual will capture the requested information.

Not sure tcp::collect will work as there is no data from the pool / server. If it generates from the F5 or is from http::respond

 

Its a bit annoying.

as

HTTP_RESPONSE 

states 

Note: HTTP_RESPONSE is specific to a server response passing through the load balancer, and is not triggered for locally-generated responses (e.g. sent using the HTTP::respond command)

and 

HTTP_RESPONSE_RELEASE 

An iRule event triggered when the system is about to release HTTP data on the clientside of the connection. This event is triggered after modules process the HTTP response.

 

I sort of read that as saying it gets all and it didn't sasy it doesn't get the http::respond ones

 

 

PeteWhite
F5 Employee
F5 Employee

If, for instance, there is an iRule which sends a response in the HTTP_REQUEST event then this will not fire the HTTP_RESPONSE event as you say ( because that fires for serverside responses ).

I don't know how to get around this other than to use the HTTP::has_responded command https://clouddocs.f5.com/api/irules/HTTP__has_responded.html and create a log if a response has been sent. 

Actually thats a pretty good way of doing it set priority really low and pick it up that way.

Hadn't thought of that.

 

I think its a bug, that it doesn't fire the other events.