Payload Manipulation https / http

Question

Hello, 
&nbsp;  
&nbsp; i've got a ssl cert installed on a virtual server, traffic goes to the pool members unencrypted. 
&nbsp;  
&nbsp; im trying to modify the payload of the answer, doing a simple replacement. 
&nbsp;  
&nbsp; when HTTP_RESPONSE_DATA { 
&nbsp; regsub "somestring" [HTTP::payload] "foobar" newdata 
&nbsp; set clen [string length newdata] 
&nbsp; log local0. "$newdata" 
&nbsp; HTTP::payload replace 0 $clen $newdata 
&nbsp; HTTP::release 
&nbsp; } 
&nbsp;  
&nbsp; when im trying to access the page, my firefox tells me the server is using some kind of unknown compression and it can therefore not display the page. 
&nbsp;  
&nbsp; in the f5 logfile i've got just some binary data. 
&nbsp;  
&nbsp; is the http_response_data maybe called after the payload got processed through ssl encryption and so gets destroyed by the replacement? 
&nbsp;  
&nbsp; Any Help would be appreciated :-) 
&nbsp;  
&nbsp; Thanks, Moritz

hooleylist · Answer

Hi Moritz, 
  
 I'd suggest using a stream profile and STREAM::expression based iRule to do this instead of trying to buffer the payload with HTTP::collect / HTTP::payload. 
  
 Here is an example:

http://devcentral.f5.com/wiki/default.aspx/iRules/stream__expression 
 when HTTP_RESPONSE { 
  
     Disable the stream filter by default 
    STREAM::disable 
  
     Check if response type is text 
    if {[HTTP::header value Content-Type] contains "text"}{ 
  
        Replace somestring with foobar 
       STREAM::expression "@somestring@foobar@" 
  
        Enable the stream filter for this response only 
       STREAM::enable 
    } 
 }

Aaron

hooleylist · Answer

What are the symptoms of the issue?   
&nbsp;  
&nbsp; Do you get a response back from the VIP, but it doesn't have the response rewritten?  If so, you could check the configuration of the stream expression.  It is case sensitive.  Another possibility is that response compression is enabled on the server.  You can either disable it on the server or add code to the iRule to remove the Accept request header.  This prevents the server from sending compressed responses. 
&nbsp;  
&nbsp; Do you get a page cannot be displayed message in the browser?  If so, this is probably indicative of LTM sending a TCP reset to the client.  This could be due to a TCL error.  You can check the /var/log/ltm log file for details. 
&nbsp;  
&nbsp; Else, is there another symptom? 
&nbsp;  
&nbsp; Aaron

moritz_krinke_6 · Answer

Aaron, 
&nbsp;  
&nbsp; got it - after i edited the irule to remove the accept request header like you suggested, it worked - since i had compression enabled on all the servers servern the www-content. 
&nbsp;  
&nbsp; thanks a lot!

Forum Discussion

Payload Manipulation https / http

3 Replies

Recent Discussions

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Can iRule be used to perform exception of IPI category based on Geolocation

Related Content

Re: F5 XC Distributed Cloud HTTP Header manipulations and matching of the client ip/user HTTP header

HTTP Payload Collection

HTTP Multipart and Security Implications

Cache Manipulation Examples

irule reject request when payload field is null