ASCII LF (0a) in STREAM
Is there a way to represent the hex 0a in the target of a STREAM::expression? Everything I try causes the literal "0a" or "\n" to be inserted instead of the representation of LF. STREAM::expression {@\x0d@\x0a@} Result of replacement is "\x0a" (5c 78 30 61) STREAM::expression {@\x0d@\n@} STREAM::expression {@\r@\n@} Both of these cause the replacement to be the literal "\n" (5c 6e). Is seems that the search operations handles regex/hex just fine, but the replacement chokes on anything other than ASCII.
Stream expression for TCP payload
So I have been trying to find the most efficient way to detect string patterns within HTTP payloads. I have found out the best way to tackle this (from what I know so far) is to use a stream profile within a HTTP_RESPONSE event and specify a reg expression. So for my test, I wanted to capture alpha numeric string between 13-16 characters long. I was specifically looking for the value AAAFFFggg12345 and was successful. I did return other values but thats beside the point I'm getting to. This is how I approached it a stream profile within a HTTP_RESPONSE event. when HTTP_REQUEST { STREAM::disable if { [HTTP::header value "Host"] equals "winweb1.clearshark.net"} { set host [HTTP::header value "Host"] HTTP::header remove "Accept-Encoding" } } when HTTP_RESPONSE { if {[info exists host]} { if {$host equals "winweb1.clearshark.net"} { STREAM::expression {@[a-zA-Z0-9]{13,16}@} STREAM::enable } } } when STREAM_MATCHED { log local0. "Stream matched [STREAM::match]" } Now... I want to do the same exact thing, but not within an HTTP_RESPONSE event. Essentially I want to just look within a TCP payload and find the same string. I have tried the following but have had no success. when CLIENT_ACCEPTED { STREAM::disable } when SERVER_CONNECTED { TCP::collect if {[IP::client_addr] equals "172.16.211.103"} { log local0. "Stream enabled" STREAM::expression {@[a-zA-Z0-9]{13,16}@} STREAM::enable } } when STREAM_MATCHED { log local0. "[IP::client_addr]:[TCP::local_port] : Matched : [STREAM::match]" } I am not seeing the string value AAAFFFggg12345 in my logs like I did when triggering within a HTTP_RESPONSE event. I know this seems like a quirky use case but this is simply for a proof of concept for a client. If I can successfully make this happen, I'll branch off to other tests. But I need to make sure this works first before I move forward. I appreciate any and all help!
STREAM::disable and APM
TMOS 11.3.0 HF6 Does this: when HTTP_REQUEST { Disable the stream filter for all requests STREAM::disable } break APM? If not does anybody know why I get this line in /var/log/ltm: local/tmm err tmm[5477]: 01220001:3: TCL error: /Common/stream_test - Operation not supported (line 1) invoked from within "STREAM::disable" Thanks.
Rewriting response with STREAM not working properly
Hello, I am developping an iRule to rewrite a response from the Web server. I need to rewrite a chain of characters AND its length specified in the first character as a hex value. The iRule works well except the part that rewrites the hexadecimal value of the length. Code STREAM::disable STREAM::expression {@\x3Chttp://something1@\x17http://something2@} STREAM::enable Where \x3C is the length of the original string \x17 is the length of the replacement string As a result, \x3C is interpreted correctly as an hex caracter ('<' ascii) but \x17 is interpreted as a string of characters. So I am getting this byte sequence: 5C 78 31 37 68 74 74 70 3A 2F 2F ... -> \x17http:// ... Instead of expected one: 17 68 74 74 70 3A 2F 2F ... -> .http:// ... Is it a bug in the STREAM instruction or I am doing something wrong? Thank you
Can I use a STREAM profile to replace response status code?
We have a smart 404 page that Google and other bots do not appreciate. It throws a 200 OK instead of a 404 Not Found. I can't do much on the server side to change this behavior, so I am looking to the BIG-IP for help. Can I replace the status code in the response using a STREAM profile? I followed this post - realizing it's not exactly what I am looking to do. It does not replace the status code. Basic HTTP STREAM Profile I've seen the payload approach where you gather some bytes and do a replace on that, but I think it requires recursion to gather all of the data and it seems messy. I was hoping the STREAM profile approach would work here. Any help would be appreciated! Here is what my General_Not_Found_iRule currently looks like: when HTTP_REQUEST { collect the uri of the request > convert uri to lower but keep original intact set uri [HTTP::uri] set lowerUri [string tolower [HTTP::uri]] identify the uri that will trigger the 404 replacement in response > instantiating variables is rarely a bad idea set notFoundTriggerString "/404/pages/default.aspx" set notFoundTriggered 0 disable the STREAM profile until we need it STREAM::disable if { $lowerUri contains $notFoundTriggerString } { tell server not to compress the response > the stream functions do not work with a compressed response HTTP::header remove "Accept-Encoding" set the not found flag to 1 for execution in the response set notFoundTriggered 1 } } when HTTP_RESPONSE { if { $notFoundTriggered equals 1 } { set the find/replace expression for the STREAM profile > it looks ugly, but it's the right syntax... STREAM::expression "@200 OK@404 Not Found@" now enable the STREAM profile STREAM::enable } }
HTTP_RESPONSE - STREAM::expression to replace one string with another in HTTP data payload
I am trying to replace any instance of a certain URI whenever it occurs in the HTTP response data. It occurs within JavaScript <script> tags of the HTML document. I have the default system stream profile on the virtual server, and I'm using an iRule. When I inspect the web page after in my browser, I still see the URI that I am trying to replace, even the first instance of it. Although, as I understand it from reading the content at the links below here, I am using STREAM::expression in my iRule, so I think it should replace all occurrences, not just the first. Seems to not be replacing any though. https://support.f5.com/csp/article/K39394712 https://clouddocs.f5.com/api/irules/STREAM__expression.html I have also checked these out: https://devcentral.f5.com/s/articles/ltm-stream-profile-multiple-replacements--regular-expressions https://clouddocs.f5.com/api/irules/STREAM__replace.html Here is what I have. # FQDN app.example.com resolves to ltm virtual server SNAT IP # if URI starts with /fooportal # then reverse proxy to https://example.com/fooportal # if the URI started with anything other than /fooportal # then 307 redirect to host example.com # but with the originally requested path # # when HTTP_REQUEST { # Disable the stream filter for client requests STREAM::disable # only requests to app.example.com will come to this virual server # app.example.com has a DNS Address record to this virtual server's SNAT IP Address # whereas the DNS Address record for example.com is the back-end real server address if { ([string tolower [HTTP::uri]] starts_with "/fooportal") } { HTTP::header replace Host "example.com" pool example.com_HTTPS_Pool } elseif { ([string tolower [HTTP::header host]] eq "app.example.com") } { HTTP::header replace Host "example.com" HTTP::respond 307 Location https://[HTTP::host][HTTP::uri] } } when HTTP_RESPONSE { # Disable the stream filter for server responses STREAM::disable # Enable the stream filter for text responses only if {([HTTP::status] == 200) && ([HTTP::header value Content-Type] starts_with "text")} { # Replace 'example.com' with 'app.example.com' STREAM::expression {@example.com/fooportal/@app.example.com/fooportal/@} # Enable the stream filter STREAM::enable } }Basic HTTP Stream Profile
Hi all, I basicly try to use the stream profile to replace the http:// string of my server side response data with https:// and just changed my custom stream profile as below : But though I simply click the http://192.168.50.111/ into my web browser, it just keeps load balancing and retrieves a pool member with a HTTP 200 OK code. Isn't it expected that it must show me https://192.168.50.111 instead of http? In my research, it says if the web page returns 302, 303 or 307 status codes, we can see a Location Header which can show the replaced URL as https://blabla in the captured packets (collected with Wireshark) or sth else. Is there any other configuration in F5 menu to apply the stream profile correctly? I want to only use the Stream Profile, not an iRule. However iRule didn't work either. I really don't know why. Here's the curl command result : Thank you.some image content cant be load and work properly
dear all, i have deployed big ip ltm on my customer, the function of this appliance is to offload and load balance the portal server (used to login to the customer site). the problem occur when we offloading the https, the whole page seems broken. i try to used this link https://devcentral.f5.com/codeshare?sid=573, the whole page still broken and the authentication always failed.however, some image content can be loaded and work properly. after that i try to used stream profile, but not used rewrite profile that i talk before, with http profile response chunking is re-chunk. the page can now be loaded and work properly, neither the authentication, but unfortunately some image still broken. any suggestion about this problem? thank youStream Profile or HTML Content Profile
HTML Content profiles seem to be new with 11.0 and I can't find much discussion on them being used. There are lots of examples of using stream profiles. I would like to know if there is a performance advantage of using the HTML Content profiles or are they a way to "simplify" stream processing? Is there a preference for injecting JavaScript monitoring into an application? I'm using APM in my environment and I have encountered this issue: https://support.f5.com/kb/en-us/solutions/public/12000/500/sol12558.html Would using HTML Content profiles be another way around this problem? Thank-You.
