iRule not capturing HTTP_REQUEST

Question

I am working on parsing the payload of an HTTP_REQUEST event and encrypting/decrypting usernames/passwords.  I am having trouble triggering the iRule for the specified request.  &nbsp;
&nbsp;I do a tcpdump on the LTM to capture the request and I see a POST from the client to the server to a specific authentication URL.  This should be captured in the HTTP_REQUEST event, correct?  Having no success, I simplified the process by simply logging the [HTTP::method].  All I see are GET's when clicking the same link.  Also, I tried logging the [HTTP::header names] and it is not the same list as the one I see in the dump.&nbsp;
&nbsp;Does anyone have any ideas why this iRule is not "seeing" the POST?  Could this be in the [TCP::payload]?  I tried logging the [TCP::payload] and got jibberish(at least to me ):D)&nbsp;
&nbsp;I can show code if you would like, but I think it might not be relevant to the problem at hand.&nbsp;
&nbsp;Any help would be appreciated, Thanks!

brian_69413 · Answer

Perhaps some insight into where the iRule "intercepts" the request would be helpful.  Does anyone know whether the tcpdump facility will get the packets first or will the iRule for the HTTP_REQUEST event?

hooleylist · Answer

I believe that the output from tcpdump would be written before LTM parses the HTTP headers and the HTTP_REQUEST event is triggered.  Maybe a developer could comment on that?&nbsp;
&nbsp;Are the POST requests that you don't see in the rule log coming over an existing TCP connection?&nbsp;
&nbsp;It might be helpful to log a statement in the CLIENT_ACCEPTED event with the client IP:port as well as in the HTTP_REQUEST event.&nbsp;
&nbsp;Could you post your virtual server and profiles from the bigip.conf as well as your rule so we can take a look?&nbsp;
&nbsp;Thanks,
&nbsp;Aaron

brian_69413 · Answer

Thanks for the reply, below is the code, I will have to get back to you on the others.  I am encrypting the username/password from the server and decrypting on the way back from the client.  I have it limited to my IP for now as I do not want to interrupt others.  It is the Client communication(POST) that I am not seeing, although it looks as if it is in the same TCP connection.&nbsp;&nbsp;when RULE_INIT { 
SET THE ENCRYPTION KEY
set ::key [AES::key 128]
}
when HTTP_REQUEST {
LIMIT TO A TEST PC's IP
if { ([IP::client_addr] equals "x.x.x.x") } {
COLLECT THE CONTENT 
switch [HTTP::method] {
"GET" {
log local0. "GET Request"
}
"POST" {
log local0. "POST Request"
if { [HTTP::header Content-Type] eq "application/x-www-form-urlencoded" } {
HTTP::collect [HTTP::header Content-Length]
}
}
}
}
}
when HTTP_REQUEST_DATA {
TESTING
set namevals [split [HTTP::payload] "&amp;"]
for {set i 0} {$i &lt; [llength $namevals]} {incr i} {
set params [split [lindex $namevals $i] "="]
log local0. "    [lindex $params 0] : [lindex $params 1]"
}
}
when HTTP_RESPONSE {
WHEN SERVER SENDS PASSWORD, START COLLECTING
if { [IP::client_addr] equals "x.x.x.x" } {
if { [HTTP::header "Content-Length"] == 733 } {
HTTP::collect [HTTP::header Content-Length]
}
}
}
when HTTP_RESPONSE_DATA {
EXTRACT USERNAME AND PASSWORD
set user [findstr [HTTP::payload] "j_username\" value=\"" 19 "\""]
set pass [findstr [HTTP::payload] "j_password\" value=\"" 19 "\""]
ENCRYPT THE USERNAME AND PASSWORD
set encrypted_user [b64encode [AES::encrypt $::key $user]]
set encrypted_pass [b64encode [AES::encrypt $::key $pass]]
DETERMINE THE LOCATION AND LENGTH OF THE USERNAME
set user_begin [string first "j_username" [HTTP::payload] 0]
set user_begin [incr user_begin 19]
set user_end [string first "\"" [HTTP::payload] $user_begin]
set user_end [incr user_end -1]
set user_len [string length [string range [HTTP::payload] $user_begin $user_end]]
REPLACE THE USERNAME
HTTP::payload replace $user_begin $user_len $encrypted_user
DETERMINE THE LOCATION AND LENGTH OF THE PASSWORD
set encrypt_user_len [string length $encrypted_user]
set encrypt_user_end [incr user_begin $encrypt_user_len]
set pass_begin [string first "j_password" [HTTP::payload] $encrypt_user_end]
set pass_begin [incr pass_begin 19]
set pass_end [string first "\"" [HTTP::payload] $pass_begin]
set pass_end [incr pass_end -1]
set pass_len [string length [string range [HTTP::payload] $pass_begin $pass_end]]
REPLACE THE PASSWORD
HTTP::payload replace $pass_begin $pass_len $encrypted_pass
HTTP::release
}

hooleylist · Answer

Can you add a few log statements to the rule?
when CLIENT_ACCEPTED {
   if { ([IP::client_addr] equals "x.x.x.x") } {
      log local0. "client [IP::client_addr]:[TCP::client_port] connected"
   }
}
when HTTP_REQUEST {
   log local0. "client [IP::client_addr]:[TCP::client_port] -&gt; [HTTP::method] -&gt; [HTTP::host][HTTP::uri] (HTTP v[HTTP::version])"
Then within the POST case, before any additional logic, add a log entry to show the Content-Type and Content-Length header values:
log local0. "client [IP::client_addr]:[TCP::client_port] -&gt; \
   [HTTP::method] -&gt; Content-Type: [HTTP::header value Content-Type], \
   Content-Length: [HTTP::header value Content-Length], \
   Transfer-Encoding: [HTTP::header value Transfer-Encoding]"
Aaron

brian_69413 · Answer

I added the logging.  It only confirms what I saw before, the tcpdump shows a POST and the iRule logs only GET's

Forum Discussion

iRule not capturing HTTP_REQUEST

8 Replies

Recent Discussions

[ASM] - what is "Browser Challenge file" ?

enable tls1.2 on management interface on F5 ltm running version 10.x

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Can iRule be used to perform exception of IPI category based on Geolocation

Related Content

Capturing source IP addresses for VIP

HTTP_REQUEST not firing

timeouts on specific http_request

HTTP:uri in HTTP_Request error (not supported)

iRULE regsub error