Forum Discussion
NimbostratusHTTP Class not supported on 11.4 and above
All, Is there a tool to convert http classes to a local traffic policy? I have a support ticket opened with F5, however they are recommending removing all the http class profiles, then upgrading from 11.3 to 11.4 and manually creating the traffic policies. This will require hours to replicate all the http class policies to local traffic policies. Below is an example of one of the http class policies and install log, need to get rid of the * strings and regex expressions. Has anyone had to deal with this issue? Need to upgrade from 11.3 to resolve GHOST and TLS Poople vulnerabilities. Thanks, Bryce
ltm profile httpclass Preview_apache_static { app-service none defaults-from httpclass paths { glob:/gif glob:/.pdf glob:/.txt glob:/.css glob:/.GIF glob:/.SWF glob:/.PDF glob:/.TXT glob:/.CSS glob:/.flv glob:/.FLV glob:/.png glob:/.PNG
glob:/.ico glob:/.swf glob:/.js glob:/.JS regex:/.js[^p]+.* regex:/.JS[^p]+.* glob:/.JS glob:/.jpg glob:/.JPG glob:/.jpg regex:(\?i)^(\?!.*\\.jsp).\\.html\?.$
glob:/.ogv glob:/.ttf* glob:/.mpv glob:/.webm glob:/*.m4v glob:/.mp4 glob:/.xml } pool preview_static_lb redirect none
/var/log/liveinstall.log
info: ERROR: The httpclass profile(s) for policy /Common/Preview_apache_static did not roll forward:
7 Replies
Brad_ParkerCirrus
To my knowledge the upgrade to 11.4 is the only "tool" that there is that converts http classes to policies. With that said its not always able to convert everyone and that's why you see that error. This SOL may be of use. You can remove your complex regex with something simple as a place holder, upgrade, and re-create them.
https://support.f5.com/kb/en-us/solutions/public/14000/400/sol14409.html
StephanMantheyNacreous
Hi Bryce,
unfortunately policy rules support globing only.
So "starts_with", "ends_with", "contains" and "equals" are available.
RegEx-based Pattern matching does not work.
That´s why you probably want to use an iRule.
Is it just this single httpclass to convert?
Thanks, Stephan
Bryce_Halkerst1All, Thanks for the responses. I am going to replace the http class with irules. I have one regex that I am having problems with. Does anyone know how to convert the below expression. Looks like it was designed to allow anything with .js except .jsp. Not sure how to do this in an irule. Thanks, Bryce regex:/.js[^p]+.*
- StephanManthey
Hi Bryce,
for testing you can go with this one:
when HTTP_REQUEST { switch -regexp [string tolower [HTTP::path]] { {\.gif$} { log local0. "[HTTP::path] matches <\.gif$>" } {\.pdf$} { log local0. "[HTTP::path] matches <\.pdf$>" } {\.txt$} { log local0. "[HTTP::path] matches <\.txt$>" } {\.css$} { log local0. "[HTTP::path] matches <\.css$>" } {\.swf$} { log local0. "[HTTP::path] matches <\.swf$" } {\.flv$} { log local0. "[HTTP::path] matches <\.flv$>" } {\.png$} { log local0. "[HTTP::path] matches <\.png$>" } {\.ico$} { log local0. "[HTTP::path] matches <\.ico$>" } {\.js$} { log local0. "[HTTP::path] matches <\.js$>" } {\.js[^p]+.*$} { log local0. "[HTTP::path] matches <\.js[^p]+.*$>" } {\.jpg$} { log local0. "[HTTP::path] matches <\.jpg$>" } {\.ogv$} { log local0. "[HTTP::path] matches <\.ogv$>" } {\.ttf.*$} { log local0. "[HTTP::path] matches <\.ttf.*$>" } {\.mpv$} { log local0. "[HTTP::path] matches <\.mpv$>" } {\.webm$} { log local0. "[HTTP::path] matches <\.webm$>" } {\.*.m4v$} { log local0. "[HTTP::path] matches <\.*.m4v$>" } {\.mp4$} { log local0. "[HTTP::path] matches <\.mp4$>" } {\.xml$} { log local0. "[HTTP::path] matches <\.xml$>" } default { log local0. "<[HTTP::path]> no match; using default pool" } } HTTP::respond 200 content "okay" Connection close }Due to the string tolower we can reduce the number of comparisons.
Maybe your app is working with the following one:
when HTTP_REQUEST { switch -regexp [string tolower [HTTP::path]] { {\.gif$} - {\.pdf$} - {\.txt$} - {\.css$} - {\.swf} - {\.flv$} - {\.png$} - {\.ico$} - {\.js$} - {\.js[^p]+.*$} - {\.jpg$} - {\.ogv$} - {\.ttf.*$} - {\.mpv$} - {\.webm$} - {\.*.m4v$} - {\.mp4$} - {\.xml$} { pool preview_static_lb } default { log local0. "<[HTTP::path]> no match; using default pool" } } }I´m struggling with an expression '(?i)^(?!.*.jsp)..html?.$' from your httpclass.
It´s case insensitive with a negativ lookahead to match everything not containing ".jsp" and ending with "htm" or "html" followed by some single character, if I got it right.
Thanks, Stephan
- Bryce_Halkerst1
Stephen, New irules are working perfectly! Just needed to add a couple of static expressions and combined to my existing domain responder irules. Thanks for your assistance! Now I can upgrade the code to resolve TLS poodle and GHOST. Thanks, Bryce
when HTTP_REQUEST { if { ([HTTP::host] equals "stage.foo.com") or ([HTTP::host] equals "206.X.X.X") } { HTTP::respond 301 Location "http://www.stage.foo.com[HTTP::uri]"
Content expressions to pools}switch -regexp [string tolower [HTTP::path]] { {.gif$} - {.pdf$} - {.txt$} - {.css$} - {.swf} - {.flv$} - {.png$} - {.ico$} - {.js$} - {.js[^p]+.$} - {.html$} -
{.jpg$} - {.jpeg$} - {.eot$} - {.ogv$} - {.ttf.$} - {.mpv$} - {.webm$} - {.*.m4v$} - {.mp4$} - {.xml$} { pool foo } default { log local0. "<[HTTP::path]> no match; using default pool" } } }- StephanMantheyHi Bryce, thanks for the feedback. Please make sure to have a OneConnect profile assigned allowing the request switching inside a http keep-alive connection. Cheers, Stephan
- Bryce_Halkerst1Stephan, I do have OneConnect enabled on all the vips. Thanks, Bryce
