Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

IIS Health Monitor - CURL giving me 403 Forbidden Error

Hello Experts!

I am attempting to setup a health monitor for our mobile banking IIS web servers. I am just attempting to to get to the login page, and look for text - like "username" for example.

The GET request seems simple enough, but after duplicating it on the BIG-IP via the command line using CURL, I'm getting a 403 Forbidden error message. This is strange because the page does not require a login to get to it.

Using Fiddler to examine the page through my web browser (which works fine) I'm seeing the following data: GET /User/MobileAccessSignin/Username//r//n HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36

Here's the CURL command I'm using: (I'm using 1.2.3.4 as the node IP address.)

curl --user-agent "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36" http://1.2.3.4:80/User/MobileAccessSignin/Username

Any assistance would be great!

Thank you, Steve

0
Rate this Question
Comments on this Question
Comment made 26-Sep-2016 by Steven Levchenko 3

Thank you, James!

There is a difference in the versions. I'm running 7.50.3 on my workstation and the BIG IP is running 7.19.7.

Would upgrading the version of CURL on the F5 impact how the monitor works? Seems like a 3rd party app. It also seems to be coinciding with the actual functionality of the monitor - when I set the Receive String to an HTTP 403, it behaves as I expect it to (it keeps them in the pool.)

Cheers sir, Steve

0
Comment made 26-Sep-2016 by James Thomson

The F5 monitors do not use curl natively. What are you trying to accomplish? Do you want to use the built-in F5 monitor to monitor your webserver? If so, don't worry about the version of curl, follow the link I posted to try and create a functioning HTTP 1.1 monitor.

https://support.f5.com/kb/en-us/solutions/public/2000/100/sol2167.html

In the send string, you'll want something like this:

GET /User/MobileAccessSignin/Username HTTP/1.1\r\nHost: 1.2.3.4\r\nConnection: Close\r\n\r\n

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

It possibly wants more HTTP1.1 data. See this solution for how to craft an HTTP 1.1 request which could include a Host header. I've seen many servers not take requests unless they were 1.1 and had a Host header.

https://support.f5.com/kb/en-us/solutions/public/2000/100/sol2167.html

0
Comments on this Answer
Comment made 26-Sep-2016 by Steven Levchenko 3

Thank you for the quick reply!

I've reviewed several commands and gone through several experiments now. Something I'm seeing is that the exact same command from my workstation actually produces the expected results.

For example, the following - when run from the F5 - produces a 403, but when run on my windows workstation actually produces .html code on screen.

curl http://1.2.3.4:80/User/MobileAccessSignin/Username//r//n

I'm just confused as to what is making the F5 so unique. And, I can confirm that the F5 is seeing the error because when I set the Receive string to be the 403 message, it keeps my test system in the pool.

Again, thank you for your time! Steve

0
Comment made 26-Sep-2016 by James Thomson

If you're getting the error when just running the CLI curl command on the F5, then you should compare versions of curl to your home machine.
Since curl is a separate program, I can't comment much on that.

Check which version of curl is on the BIG-IP. According to this, https://curl.haxx.se/docs/manpage.html it started defaulting to HTTP 1.1 in curl 7.33

Maybe your BIG-IP has an older version? curl -V

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi James,

I'm trying to use the built in HTTP monitor to call the login page and look for certain words on that page - just to ensure that my IIS server is serving up content. We use these health monitors in many places - but there's something unique about this particular one. This is why I'm going down the CURL path - I'm trying to determine exactly what the F5 is seeing - and the evidence is that both the CURL command and the F5 GET commands are seeing a 403 message.

Additionally, when I use the F5 CLI and TELNET to the webserver node in question, then enter the following code, I get the same 403. At least there's consistency.

    [root@CLEVP-HLB01:Active:In Sync] log # telnet 1.2.3.4 80
Trying 1.2.3.4...
Connected to 1.2.3.4.
Escape character is '^]'.

## THIS IS THE STUFF I ENTERED AT THE CONSOLE##
GET / HTTP/1.1
Host: public-dns.myorg.org
Connection: Close
## PRESSED ENTER TWICE##

HTTP/1.1 403 Forbidden
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 27 Sep 2016 14:23:44 GMT
Connection: close
Content-Length: 1233

I am using 11.6.0 HF6 on a 1600 series BIG-IP.

Except, when I run the same TELNET command from my workstation, I get a different result:

HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Mon, 24 Jun 2013 18:09:24 GMT
Accept-Ranges: bytes
ETag: "e4685f5571ce1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 27 Sep 2016 14:35:59 GMT
Connection: close
Content-Length: 106

<html>
<head>
    <meta http-equiv="refresh" content="0;url=/User">
</head>
<body>
</body>
</html>

I'm failing to understand how the telnet command on my workstation can differ from the utils on the F5.

I'm mainly trying to confirm what the F5 is seeing at this point in time.

All the best, Steve

0
Comments on this Answer
Comment made 28-Sep-2016 by Steven Levchenko 3

Hi James,

I want to thank you for your time on this issue. I spoke with F5 technical support, and we found the cause. We were able to confirm that the IIS server was in the fact the one causing the 403 message - and in fact was blocking the self-IP address of the F5.

Background: (https://msdn.microsoft.com/en-us/library/aa291305(v=vs.71).aspx)

What was throwing us off was that a SNAT IP was configured - and as long as the traffic originated from the SNAT IP (i.e. any client that traversed the VIP) - it got to the server node. But if the traffic originated from the self-IP (health monitors, me running stuff from the CLI) then it was blocked by the IIS service. Since my workstation was not in the DENY list, I was able to get to the box just fine from my console.

Hope this helps someone someday.

Cheers, Steve

1