Forum Discussion

bdavis's avatar
bdavis
Icon for Nimbostratus rankNimbostratus
May 01, 2014

IRULE: TCL Error when trying to invoke STREAM expression.

So recently I created a https front-end to a http application so I could put a SSO apm policy on the front-end for external entities to access the site. I then realized that the application developer's hard coded absolute links into the sites code pointing to http. So I tried putting a generic stream profile on the Virtual Server and using the irule off devcentral to rewrite the link's on the responses back to the user. However when I try to do this I receive this tcl error in the logs and it breaks my virtual server.

 

TCL error: /Common/http_rewrite_https - Operation not supported (line 1) invoked from within "STREAM::expression {@http://test.com@https://test.com@}"

 

Here is the irule that I'm using off of Devcentral.

 

when HTTP_REQUEST {
    HTTP::header remove Accept-Encoding
    STREAM::disable
}
when HTTP_RESPONSE {
    if { [HTTP::header exists Location] } {
        HTTP::header replace Location [string map {"http://" "https://"} [HTTP::header Location]]
    }
    if { [HTTP::header Content-Type] contains "text" } {
        STREAM::expression {@http@https@}
        STREAM::enable
    }
}
application delivery
BIG-IP Access Policy Manager (APM)
deployment
design
devops
iRules
security

13 Replies

Sort By
Show More
  • AP's avatar
    AP
    Icon for Nimbostratus rankNimbostratus
    Jul 23, 2015

    Same issue in 11.6. Layered VS with LTM-Steam in front also worked for me, though I'd prefer a tidier solution.

     

  • Martin_Robbins's avatar
    Martin_Robbins
    Icon for Nimbostratus rankNimbostratus
    Jul 06, 2018

    Hello, I know this has been around a while but the single VS solution I use is to place a catch around the stream disable and only enable the stream when the policy is in the allow state using a flag:

     

    when CLIENT_ACCEPTED { set disableStream 1 }
when HTTP_REQUEST { catch { STREAM::disable } }
when ACCESS_ACL_ALLOWED { set disableStream 0 }
when HTTP_RESPONSE { if { $disableStream } { return }
 :
 rest of STREAM code
 :
}

    We no longer have errors, hope it helps.

     

  • giltjr_32735's avatar
    giltjr_32735
    Icon for Nimbostratus rankNimbostratus
    Jul 11, 2018

    I'm fairly sure you have to disable stream in HTTP_RESPONSE if you are going to replace/update the string.

     

    I believe that STREAM replacement is enabled in both directions (inbound on REQUEST and outbound on RESPONSE) but they are treated independently. So you have to disable on both.