F5 irule points to websockets server, but no response back

Question

Currently, we run 32bit 10.2.3 F5.  &nbsp;
We are trying to use websockets via an irule.&nbsp;
For example, the user comes in via the https F5 virtual server, and is directed via an irule to the websockets pool (in this case EXPQA_Pool_11_12)&nbsp;
 &nbsp;
irule:&nbsp;
when HTTP_REQUEST {&nbsp;
     HTTP::header insert "X_CLIENT_IP" [IP::client_addr]   &nbsp;
     HTTP::header insert "X-Forwarded-For" [IP::client_addr] &nbsp;
    if { [string tolower [HTTP::uri]] starts_with "/ws" } {&nbsp;
        pool EXPQA_Pool_11_12&nbsp;
        return&nbsp;
    } else {&nbsp;
        pool EXPQA_Pool&nbsp;
        return&nbsp;
    }&nbsp;
}&nbsp;
 &nbsp;
 &nbsp;
 &nbsp;
On our test site, we are able to initially connect to the websocket server:&nbsp;
-- 2013-07-30T19:07:57.987Z: Connection is opened...&nbsp;
 &nbsp;
However, after two minutes, the response never makes it back from the websocket server:&nbsp;
TX 2013-07-30T19:07:58.815Z: Device info for serial 1&nbsp;
-- 2013-07-30T19:09:57.978Z: Connection is closed...&nbsp;
 &nbsp;
 &nbsp;
If we go around the F5, and connect directly to the websocket server, it works fine instantly:&nbsp;
-- 2013-07-30T19:21:48.092Z: Connection is opened...&nbsp;
TX 2013-07-30T19:21:49.532Z: Device info for serial 1&nbsp;
RX 2013-07-30T19:21:50.094Z: {"status":"Device found."}&nbsp;
-- 2013-07-30T19:21:50.094Z: Connection is closed...&nbsp;
 &nbsp;
 &nbsp;
Any idea why going through the F5 for our websockets conversation would experience that issue?&nbsp;
 &nbsp;
thanks much!&nbsp;
Keith Varga&nbsp;

nitass · Answer

the user comes in via the https F5 virtual server, and is directed via an irule to the websockets pool (in this case EXPQA_Pool_11_12)i am not familiar with websocket. anyway, don't you need to disable http profile (i.e. HTTP::disable) when detecting websocket traffic?

keith_varga_107 · Answer

correct, we do need to disable http for it to work, and it does.  however, we still wanted to have the irule, and the F5 said we couldn't have the irule and http profile enabled together.  We found a solution though.   Simply add the HTTP::disable 
&nbsp; directive to the irule, and now it works! 
&nbsp;  
&nbsp; when HTTP_REQUEST { 
&nbsp;     HTTP::header insert "X_CLIENT_IP" [IP::client_addr] 
&nbsp;     HTTP::header insert "X-Forwarded-For" [IP::client_addr] 
&nbsp;    if { [string tolower [HTTP::uri]] starts_with "/ws" } { 
&nbsp;        pool EXPQA_Pool_11_12 
&nbsp;        HTTP::disable 
&nbsp;        return 
&nbsp;    } else { 
&nbsp;        pool EXPQA_Pool 
&nbsp;        return 
&nbsp;    } 
&nbsp; } 
&nbsp;  
&nbsp; thanks much all 
&nbsp; -Keith 
&nbsp;  &nbsp;

smedakkar_85975 · Answer

Hi,
I know the original post here is about a month old but I have just set up our F5 to do just this. However we also have our iRule also restricting URIs based on a DataGroupList as below:
when HTTP_REQUEST { 
  if { [matchclass [HTTP::uri] starts_with $::MyValidUris] } {
        HTTP::disable
  } else {
    HTTP::respond 404 content [subst $::block_page]
  }
}

The problem I have is that once HTTP::disable is invoked, F5 can no longer parse the requests as HTTP and therefore cannot restrict URIs as before.
Is there anyway to re-enable the HTTP profile but selectively disable it when a websocket request comes through? 
Imagine a web site like Amazon, that users can browse. At some point when they want to contact an agent via a "webphone", the site creates a websocket connection to the backend server. If when they want to carry on browsing the site and happen to change the URI on their browser go to an admin page, the iRule no longer restricts that URI. This is the problem I'm trying to work through. Any ideas on what I could do with my iRule would be greatly appreciated.
Thank you.
Sachin

kevin_stewart · Answer

Try something like this:
when CLIENT_ACCEPTED {
    HTTP::enable
}
when HTTP_REQUEST {
    if { [matchclass [HTTP::uri] starts_with $::MyValidUris] } [
        HTTP::disable
    } else {
        HTTP::respond 404 content [subst $::block_page]
    }
}

smedakkar_85975 · Answer

Thank you for your reply. &nbsp;
I looked at the docs about this and they say that CLIENT_ACCEPTED is triggered when an entry is inserted in the BIG-IP connection table - meaning only once when the TCP connection is established. &nbsp;
It feels like that means if a website user were to navigate to an unrestricted part of the website, the HTTP profile would be disabled but never re-enabled as the TCP connection has already been established. Therefore allowing the user to change the URI to point at a restricted page.&nbsp;
Do you know if there is a trigger that's fired every time a request is made ... other than a HTTP trigger seeing as that might have been disabled?&nbsp;

Forum Discussion

F5 irule points to websockets server, but no response back

9 Replies

Recent Discussions

Web acceleration

What are the different phases in DevOps?

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Related Content

Load Balancing WebSockets

Introduction of Incident Response

custom response page for api

Remove X- Headers From Web Server Response

Virtual server connection limit with HTTP response