stream profile
12 TopicsHTTP_RESPONSE - STREAM::expression to replace one string with another in HTTP data payload
I am trying to replace any instance of a certain URI whenever it occurs in the HTTP response data. It occurs within JavaScript <script> tags of the HTML document. I have the default system stream profile on the virtual server, and I'm using an iRule. When I inspect the web page after in my browser, I still see the URI that I am trying to replace, even the first instance of it. Although, as I understand it from reading the content at the links below here, I am using STREAM::expression in my iRule, so I think it should replace all occurrences, not just the first. Seems to not be replacing any though. https://support.f5.com/csp/article/K39394712 https://clouddocs.f5.com/api/irules/STREAM__expression.html I have also checked these out: https://devcentral.f5.com/s/articles/ltm-stream-profile-multiple-replacements--regular-expressions https://clouddocs.f5.com/api/irules/STREAM__replace.html Here is what I have. # FQDN app.example.com resolves to ltm virtual server SNAT IP # if URI starts with /fooportal # then reverse proxy to https://example.com/fooportal # if the URI started with anything other than /fooportal # then 307 redirect to host example.com # but with the originally requested path # # when HTTP_REQUEST { # Disable the stream filter for client requests STREAM::disable # only requests to app.example.com will come to this virual server # app.example.com has a DNS Address record to this virtual server's SNAT IP Address # whereas the DNS Address record for example.com is the back-end real server address if { ([string tolower [HTTP::uri]] starts_with "/fooportal") } { HTTP::header replace Host "example.com" pool example.com_HTTPS_Pool } elseif { ([string tolower [HTTP::header host]] eq "app.example.com") } { HTTP::header replace Host "example.com" HTTP::respond 307 Location https://[HTTP::host][HTTP::uri] } } when HTTP_RESPONSE { # Disable the stream filter for server responses STREAM::disable # Enable the stream filter for text responses only if {([HTTP::status] == 200) && ([HTTP::header value Content-Type] starts_with "text")} { # Replace 'example.com' with 'app.example.com' STREAM::expression {@example.com/fooportal/@app.example.com/fooportal/@} # Enable the stream filter STREAM::enable } }1.2KViews0likes1CommentBasic HTTP Stream Profile
Hi all, I basicly try to use the stream profile to replace the http:// string of my server side response data with https:// and just changed my custom stream profile as below : But though I simply click the http://192.168.50.111/ into my web browser, it just keeps load balancing and retrieves a pool member with a HTTP 200 OK code. Isn't it expected that it must show me https://192.168.50.111 instead of http? In my research, it says if the web page returns 302, 303 or 307 status codes, we can see a Location Header which can show the replaced URL as https://blabla in the captured packets (collected with Wireshark) or sth else. Is there any other configuration in F5 menu to apply the stream profile correctly? I want to only use the Stream Profile, not an iRule. However iRule didn't work either. I really don't know why. Here's the curl command result : Thank you.999Views0likes5Commentssome image content cant be load and work properly
dear all, i have deployed big ip ltm on my customer, the function of this appliance is to offload and load balance the portal server (used to login to the customer site). the problem occur when we offloading the https, the whole page seems broken. i try to used this link https://devcentral.f5.com/codeshare?sid=573, the whole page still broken and the authentication always failed.however, some image content can be loaded and work properly. after that i try to used stream profile, but not used rewrite profile that i talk before, with http profile response chunking is re-chunk. the page can now be loaded and work properly, neither the authentication, but unfortunately some image still broken. any suggestion about this problem? thank you521Views0likes4CommentsSTREAM::disable and APM
TMOS 11.3.0 HF6 Does this: when HTTP_REQUEST { Disable the stream filter for all requests STREAM::disable } break APM? If not does anybody know why I get this line in /var/log/ltm: local/tmm err tmm[5477]: 01220001:3: TCL error: /Common/stream_test - Operation not supported (line 1) invoked from within "STREAM::disable" Thanks.358Views0likes3CommentsStream expression for TCP payload
So I have been trying to find the most efficient way to detect string patterns within HTTP payloads. I have found out the best way to tackle this (from what I know so far) is to use a stream profile within a HTTP_RESPONSE event and specify a reg expression. So for my test, I wanted to capture alpha numeric string between 13-16 characters long. I was specifically looking for the value AAAFFFggg12345 and was successful. I did return other values but thats beside the point I'm getting to. This is how I approached it a stream profile within a HTTP_RESPONSE event. when HTTP_REQUEST { STREAM::disable if { [HTTP::header value "Host"] equals "winweb1.clearshark.net"} { set host [HTTP::header value "Host"] HTTP::header remove "Accept-Encoding" } } when HTTP_RESPONSE { if {[info exists host]} { if {$host equals "winweb1.clearshark.net"} { STREAM::expression {@[a-zA-Z0-9]{13,16}@} STREAM::enable } } } when STREAM_MATCHED { log local0. "Stream matched [STREAM::match]" } Now... I want to do the same exact thing, but not within an HTTP_RESPONSE event. Essentially I want to just look within a TCP payload and find the same string. I have tried the following but have had no success. when CLIENT_ACCEPTED { STREAM::disable } when SERVER_CONNECTED { TCP::collect if {[IP::client_addr] equals "172.16.211.103"} { log local0. "Stream enabled" STREAM::expression {@[a-zA-Z0-9]{13,16}@} STREAM::enable } } when STREAM_MATCHED { log local0. "[IP::client_addr]:[TCP::local_port] : Matched : [STREAM::match]" } I am not seeing the string value AAAFFFggg12345 in my logs like I did when triggering within a HTTP_RESPONSE event. I know this seems like a quirky use case but this is simply for a proof of concept for a client. If I can successfully make this happen, I'll branch off to other tests. But I need to make sure this works first before I move forward. I appreciate any and all help!299Views0likes2CommentsStream Profile or HTML Content Profile
HTML Content profiles seem to be new with 11.0 and I can't find much discussion on them being used. There are lots of examples of using stream profiles. I would like to know if there is a performance advantage of using the HTML Content profiles or are they a way to "simplify" stream processing? Is there a preference for injecting JavaScript monitoring into an application? I'm using APM in my environment and I have encountered this issue: https://support.f5.com/kb/en-us/solutions/public/12000/500/sol12558.html Would using HTML Content profiles be another way around this problem? Thank-You.274Views0likes0CommentsASCII LF (0a) in STREAM
Is there a way to represent the hex 0a in the target of a STREAM::expression? Everything I try causes the literal "0a" or "\n" to be inserted instead of the representation of LF. STREAM::expression {@\x0d@\x0a@} Result of replacement is "\x0a" (5c 78 30 61) STREAM::expression {@\x0d@\n@} STREAM::expression {@\r@\n@} Both of these cause the replacement to be the literal "\n" (5c 6e). Is seems that the search operations handles regex/hex just fine, but the replacement chokes on anything other than ASCII.265Views0likes2CommentsRewriting response with STREAM not working properly
Hello, I am developping an iRule to rewrite a response from the Web server. I need to rewrite a chain of characters AND its length specified in the first character as a hex value. The iRule works well except the part that rewrites the hexadecimal value of the length. Code STREAM::disable STREAM::expression {@\x3Chttp://something1@\x17http://something2@} STREAM::enable Where \x3C is the length of the original string \x17 is the length of the replacement string As a result, \x3C is interpreted correctly as an hex caracter ('<' ascii) but \x17 is interpreted as a string of characters. So I am getting this byte sequence: 5C 78 31 37 68 74 74 70 3A 2F 2F ... -> \x17http:// ... Instead of expected one: 17 68 74 74 70 3A 2F 2F ... -> .http:// ... Is it a bug in the STREAM instruction or I am doing something wrong? Thank you261Views0likes2Commentsmatching and/or replacing + sign in STREAM::expression
I am using the ProxyPass v10/v11 iRule (link) to direct and rewrite http URIs and response payloads. Although I set everything up correctly and the irule builds the correct STREAM:expression according to my needs the stream command does not execute after the first + sign. I have tried escaping it with various methods (classical backslash, unicode escape sequences) but none worked so far. Did anyone had the same situation? I am pasting an example URI to be matched in content rewriting. Original: /TR+tr/some_example_http_path/some_example_file.ext Needs to be rewritten to: /some_example_http_path/some_example_file.ext240Views0likes2Comments