Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

IRULE: TCL Error when trying to invoke STREAM expression.

So recently I created a https front-end to a http application so I could put a SSO apm policy on the front-end for external entities to access the site. I then realized that the application developer's hard coded absolute links into the sites code pointing to http. So I tried putting a generic stream profile on the Virtual Server and using the irule off devcentral to rewrite the link's on the responses back to the user. However when I try to do this I receive this tcl error in the logs and it breaks my virtual server.

TCL error: /Common/http_rewrite_https - Operation not supported (line 1) invoked from within "STREAM::expression {@http://test.com@https://test.com@}"

Here is the irule that I'm using off of Devcentral.

when HTTP_REQUEST {
    HTTP::header remove Accept-Encoding
    STREAM::disable
}
when HTTP_RESPONSE {
    if { [HTTP::header exists Location] } {
        HTTP::header replace Location [string map {"http://" "https://"} [HTTP::header Location]]
    }
    if { [HTTP::header Content-Type] contains "text" } {
        STREAM::expression {@http@https@}
        STREAM::enable
    }
}
0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

what version are you running? is it 11.x?

0
Comments on this Answer
Comment made 01-May-2014 by Brett 253
I'm running 11.4.1
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Do you have a stream profile assigned to the VS this rule is, with no source or target strings specified?

0
Comments on this Answer
Comment made 01-May-2014 by Brett 253
I do, i applied the default stream profile that has no source or target defined.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Can you try adding 'value' to this line please;

if { [HTTP::header value Content-Type] contains "text" } {
0
Comments on this Answer
Comment made 01-May-2014 by Brett 253
I made the change, but received the same results.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

can you try to not use apm? there is a bug in 10.x but it is already fixed in 11.x.

0
Comments on this Answer
Comment made 01-May-2014 by Brett 253
I removed the apm policy and tried it and it works fine. So apparently it has to do with APM, any suggestion's. Thank you for your help.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

sorry i know nothing about apm. anyway, i believe another guy will give you a hand. :)

by the way, this is the bug i mentioned.

sol12558: The BIG-IP APM system logs an error message when processing iRule stream events on an internal URI
https://support.f5.com/kb/en-us/solutions/public/12000/500/sol12558.html

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

That SOL made me chuckle a little. It hadn't occurred to me to use a layered VIP to fix this, and I'm not 100% convinced that it couldn't be solved without it. I do know that the problem indicated in the SOL is still there in 11.5 and that it only manifests (oddly) under certain visual policy configurations. So in any case, a layered VIP should indeed solve the issue. Put an LTM VIP on the outside, with your STREAM processing iRule, and send the traffic to an internal APM VIP. You could alternately put the APM VIP on the outside and the LTM VIP with STREAM iRule on the inside.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Although I am only running LTM V10 I use quotes instead of the curly brackets:

STREAM::expression "@http@https@"

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I tried using the solution sol12558 (version 11.5.1) but when using Network Access it will fail, when using a LTM frontend forwarding to a APM backend virtual. What seems to work for me is using the opposite sandwich with apm as frontend and ltm as backend.

I've tried to find the course but all I could tell was that the request "GET /isession?sess=xxxxxxxxxxxxx&ipv4=yes&ipv6=yes HTTP/1.0" is truncated, or only half answered, when using a ltm frontend.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Do you have any other irule applied to the same virtual server?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Same issue in 11.6. Layered VS with LTM-Steam in front also worked for me, though I'd prefer a tidier solution.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Same issue in 11.6. Layered VS with LTM-Steam in front also worked for me, though I'd prefer a tidier solution.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello, I know this has been around a while but the single VS solution I use is to place a catch around the stream disable and only enable the stream when the policy is in the allow state using a flag:

when CLIENT_ACCEPTED { set disableStream 1 }
when HTTP_REQUEST { catch { STREAM::disable } }
when ACCESS_ACL_ALLOWED { set disableStream 0 }
when HTTP_RESPONSE { if { $disableStream } { return }
 :
 rest of STREAM code
 :
}

We no longer have errors, hope it helps.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I'm fairly sure you have to disable stream in HTTP_RESPONSE if you are going to replace/update the string.

I believe that STREAM replacement is enabled in both directions (inbound on REQUEST and outbound on RESPONSE) but they are treated independently. So you have to disable on both.

0
Comments on this Answer
Comment made 2 months ago by giltjr 942

Oh, you may want to use:

@http://@https://@

Just in case the string http appears someplace in the response where somebody really wants the string http.

0