Error processing HTTP request header
I'm running into an issue on my apache tomcat 8 servers when receiving traffic routed through the F5. We have enabled TLS on the application servers and have setup an SSL Server profile to send the traffic through over HTTPS. The pool is configured to send the traffic to the servers on ports 8443 and 8444. However we are getting the following error from the servers. 2019-03-20 05:26:32,938+0000 INFO org.apache.coyote.http11.Http11Processor service - Error parsing HTTP request header Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level. java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:462) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:667) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:802) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1410) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) I am not certain what to look at on the F5 for how it is formatting/encrypting the traffic before it sends it onto the servers. Any advice on the direction I should take this would be very much appreciated.URI to lower case LTM irule issue
Hi Team, I have a challenge to redirect all uri into lower case. I am able to redirect the URL to lower case but if i type in e.g myweb.net/fR/PAges/DEfauLT.aspx etc it does not redirect to lower case e.g myweb.net/fr/pages/default.aspx. I am trying my best but not sure where actually issue lies. Your help is very much appreciated. when HTTP_REQUEST { STREAM::disable HTTP::path [string tolower [HTTP::path]] if { [string tolower [HTTP::path]] equals "/" } { if { [HTTP::header "Accept-Language"] starts_with "fr" } { HTTP::respond 301 -nocase "Location" "https://www.myweb.net/fr/pages/default.aspx" Strict-Transport-Security "max-age=300 } elseif { [HTTP::header "Accept-Language"] starts_with "en" } { HTTP::respond 301 -nocase "Location" "; Strict-Transport-Security "max-age=300" } } elseif { [string tolower [HTTP::path]] equals "/autodiscover/autodiscover.xml" } { HTTP::respond 301 "Location" "https://autodiscover.myweb.net/autodiscover/autodiscover.xml" HTTP::redirect "http://[HTTP::host][string tolower [HTTP::path]][HTTP::query]" } elseif { [string tolower [HTTP::host]] contains "blog.myweb.net" }{ HTTP::respond 301 noserver "Location" "https://www.myweb.net/en/tech/pages/default.aspx" } elseif { [string tolower [HTTP::host]] contains "techpage.myweb.net" }{ HTTP::respond 301 noserver "Location" "https://www.myweb.net/en/tech/Pages/techpage.aspx" } } when HTTP_RESPONSE { HTTP::header remove SPRequestGuid set cookies [HTTP::cookie names] foreach aCookie $cookies { HTTP::cookie secure $aCookie enable } if { [HTTP::header exists Location] } { HTTP::header remove Server HTTP::header replace Location [string map {"http://" "https://"} [string tolower [HTTP::header Location]]] } if { [HTTP::header Content-Type] contains "text" } { STREAM::expression { @http://s5.mywebnet.net@https://s5.mywebnet.net@ } STREAM::enable } }Virtual Server creation
Hello, I am new to F5 and using the evaluation version of F5 (Big IP LTM Virtual Edition). I am facing problem while creating the virtual server for tomcat application. F5 Big-IP LTM VE is running on VMPlayer. And I can access the admin page of F5 via https://> I want to test F5 with 3 tomcat applications which are running as cluster. All my three tomcat instances are on same machine with different port. http://:8081//cluter-example/test.jsp http://:8082//cluter-example/test.jsp http://:8083//cluter-example/test.jsp I tested out successfully this cluster with Apache server. As I do not have much idea as how to create Virtual server which will use my newly created pool which has all the three tomcat instances. I tried to create Virtual server with following parameter: Type : host Address : some random IP address. Service port : 80 with HTTP VLAN and tunnel traffic : All VLAN and tunnel SNAT Pool : autoMap Afterward I try to access the virtual server as http://>:80 And then getting nothing (I am expecting it should go to one of the tomcat instance) I tried with http://>:80/cluster-example/test.jsp but same result. In Health monitor side I used Send String : GET /cluster-example/test.jsp Please let me know what are the things I am missing and why given virtual IP with 80 port as HTTP... its not redirecting to tomcat application side. -SandeepSolution For O365 SSL forward Proxy ByPass
May i ask you a question? { I want to know how can i get only ssl 443 traffic O365 going pass through directly to internet and all other traffic http & https going pass through to pool(bluecoat) for proxy internet. So, how can i write irule for this issue. Please can you help me.}
APM Access Guided Configuration with VIP in different partion
I am trying to use the Guided Configuration to create SAML Service Provider. However ths is can only be run from the Common partition whereas the VIP required has to be on a different parition for security reasons. I have tried to configure this manually but running in to problems and all online guides point to the guided configuration. Is there a way around this partition restriction while using the guided configuration? I am trying to deploy Big IP APM to perform SAML authentication through Azure. We have the Metadata file but would like to use the Guided configuration to complete the deploy.
Export Part of F5 Config into a text file
how do i export parts of the configuration into a text file and then merge those exported configurations into another F5. I need to export the following from one f5 to another f5. i cannot export the whole configuration. I just want parts. Export Nodes into a text tile and then import into another f5. Export monitor configuration into a text file and import into another f5 export pool configurations into a text file and import into another f5. export VIPs configuration into a text file and import into another f5.
Cloudflare + F5 w/ Cookie session affinity
We're trying to setup cloudflare with our F5 using cookie based session affinity. This appears to be a known complication for which both cloudflare and F5 have some guidance. https://support.cloudflare.com/hc/en-us/articles/212794707-General-best-practices-for-load-balancing-at-your-origin-with-Cloudflare "Session cookies If using HTTP cookies to track and bind user sessions to a specific application server at the load balancer, it is bestis to configurethe load balancer toparse HTTP requests by cookie headers and directing eachrequest to the correct application server even if HTTP requests share the same TCP connection due to keep-alive. For example: F5 BIG-IP load balancers will set a session cookie (if none exists) at the beginning of a TCP connection and then ignore all cookies passed on subsequent HTTP requests made on the same TCP socket. This tends to break session affinity because Cloudflare will send multiple different HTTP sessions on the same TCP connection. (HTTP cookie-based session affinity)." https://support.f5.com/csp/article/K7964 By default, the BIG-IP system performs load balancing for each TCP connection, rather than for each HTTP request. After the initial TCP connection is load balanced, all HTTP requests seen on the same connection are sent to the same pool member. You can modify this behavior by forcing the server-side connection to detach after each HTTP request, which in turn allows a new load balancing decision according to changing persistence information in the HTTP request. You can force the server-side detachment by applying both an HTTP profile and a OneConnect profile to the virtual server, or by using an iRule to explicitly detach the server-side connection after each HTTP request. In working with Rackspace engineers (the F5 is managed) we've applied the OneConnect profile however this profile is only meant to address the issue of sending multiple https requests over a single TCP connection. We are still facing issues with maintaining session affinity due to what appears to be cloudflare selecting a different proxy IP somewhat randomly. For instance if I sit on the web page in the browser and simply click refresh, this will often times create a new TCP connection to the F5 coming from a different cloudflare proxy IP. Rackspace engineer has informed me that due to the creation of a new TCP connection the load balancing algorithm is evaluated before the session affinity cookie (As this is done in this order for all new TCP connections) and as such we cannot maintain session affinity. I have a hard time believing that Cloudflare simply doesn't work with F5's using cookie based session affinity, but I don't have the detailed knowledge of how the F5 functions as this is a managed device for us. Can anyone help provide some guidance here? From Rackspace engineer: "As per our discussion today, when I ran couple tests from my browser and did the captures, I never saw my connection fail and also the cloud-flare proxy IP remained the same for every refresh and also the back-end server remained the same. But when I did a capture for your requests which were intermittently failing, I saw your cloud-flare proxy IPs were random and the back-end connections were hopping through different servers. When there is a change in proxy IP, the load balancer is receiving a new TCP handshake request due to which the load balancer will not adhere to the session cookie that was sent in the previous request and would try to do load balancing of the new connection. This seems to cause the issue when the connection is being end up on a different server." From Cloudflare team: "This is indeed the expected behavior from Cloudflare, so unfortunately we would not be adding much of any value joining a call with Rackspace. It's something that would need to work out at the origin. From the support ticket, it appears you are already familiar with best practices for working with F5 Load balancers plus it seems the oneconnect option has been implemented. From where xxx and I sit, we canconfirm this has worked for other customers in the past." Thanks in advance for any assistance.While using F5 edge client am getting Error "You do not have access to the Network Access Connections. Please contact your system administrator&
At first I tried on demand certificate authentication with out using the client ...At that time the authentication is success .. But after using the Edge client of F5 APM am getting the error " You do not have access to the Network Access Connections.Please contact your system administrator." the login is successful and after opening the webtop page am getting this error by automatically closing the tab of the vpn and vpn session is closing ... We have to do any configuration in APM if we want to use edge client... please help