Forum Discussion

Joe_Hsy_45207's avatar
Joe_Hsy_45207
Icon for Nimbostratus rankNimbostratus
Mar 09, 2007

Suggested fix for CreditCardScrubber and Phishing-Prevention samples on pages without the Content-length header

 

Hi,

 

 

If you wrote an iRule based on the CreditCardScrubber or Phishing-Prevention and are running them against web sites that serve pages without the Content-length header (i.e. chunking servers), you may not be aware that the iRule may not work be working consistently.

 

 

After much hair-pulling and experimentation, I've discovered why my iRule (as well as the sample CCS and PP iRules) was not working for these pages. It turns out that calling HTTP:collect with 4294967295 fails to generate the necessary HTTP_RESPONSE_DATA invocation.

 

 

I found this quite by accident. Just to see what would happen, I manually set HTTP::collect to the exact size of my page content (77) and *BAM*, everything worked. So, I upped it to 100 and again it worked. So, I kept ratcheting it up and as I got around 3 gigs, I started to see intermittent missing HTTP_RESPONSE_DATA again.

 

 

While I certainly don't know for sure, I suspect that when calling HTTP:collect with a very large number (4 gig+) it may fail due to memory allocation. I finally settled on using HTTP:collect 1000000000 (1 gig) just to be safe and it has been very stable on our boxes (running 9.2 and 9.4).

 

 

I don't know if anyone else has run into this issue, but I would suggest to the powers that be that the sample iRules be changed to deal with this issue. It would also be good have a better theoretical basis for choosing the number as opposed to empirical experimentation. 8-)

 

 

Thanks!

 

 

//Joe
application delivery
dev
devops
iRules

2 Replies

Sort By
  • Joe_Hsy_45207's avatar
    Joe_Hsy_45207
    Icon for Nimbostratus rankNimbostratus
    Mar 09, 2007

     

    Ah,

     

     

    I guess I am still operating under the old-school concept of "blessed" official content needing to be vetted by the company powers that be. 8-) This just shows that I need some adjustment in my thinking!

     

     

    However, on the other hand, it would be nice from a customer/partner perspective to know which iRule samples have been verified/validated/tested/"blessed"/... officially by F5 as a company. And if none of the samples have, I would propose that it would be useful to have such a set of samples with some minimal criteria of sanity check or at least the samples that has been "verified" be marked as such.

     

     

    I love the site and the concept of DevCentral, however. Keep up the great work!

     

     

    //Joe

     

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Mar 12, 2007
    Look carefully at the disclaimer at the bottom of the page. The great thing about community is that you own this site just as much as I or any of the developers from F5. This site will only be comprehensive and accurate if users like yourself dig in to a problem, solve it, and inform everyone else. We're all better for your efforts, thanks!

     

     

    To the point of F5 "blessed" configurations, if F5 is required to put a stamp of approval on the solutions posted to codeshare, the wiki, or the forums, the site will no longer be F5 supported. It's just the reality of business. But where F5 is willing to break the corporate model is to back it, albeit unofficially supported, with internal resources.