Missing POST Parameters

Question

I have a virtual server with an iRule that redirects traffic by hostname. E.g.
when CLIENT_ACCEPTED {
  switch [string tolower [HTTP::host]] {
    somesite.myawesomedomain.com { virtual vs_child_somesite }
    someothersite.myawesomedomain.com { virtual vs_child_someothersite }
  }
}

This normally works great, but when a POST is sent to any of these servers, I don't see the POST data and the Content-Length is 0.
Running tcpdump on the web server to capture the POST requests reveals the issue:
sudo tcpdump -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] &amp; 0xf0) &gt;&gt; 2):4] = 0x504f5354)'

POST /signin HTTP/1.1
host: somesite.myawesomedomain.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip,deflate
Accept-Language: en-US,en;q=0.8
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Cookie: _session=s1092tyahglskghado1i2
Origin: https://somesite.myawesomedomain.com
Referer: https://somesite.myawesomedomain.com/signin
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36
X-Forwarded-For: 1.2.3.4
X-Forwarded-Port: 80
X-Forwarded-Proto: http
Content-Length: 0
Connection: keep-alive

Everything works fine if I go around the F5, straight to the server itself:
POST /signin HTTP/1.1
host: somesite-direct.myawesomedomain.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip,deflate
Accept-Language: en-US,en;q=0.8
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Cookie: _session=s1092tyahglskghado1i2
Origin: https://somesite.myawesomedomain.com
Referer: https://somesite.myawesomedomain.com/signin
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36
X-Forwarded-For: 1.2.3.4
X-Forwarded-Port: 80
X-Forwarded-Proto: http
Content-Length: 178
Connection: keep-alive

utf8=%E2%9C%93&amp;authenticity_token=kflcZfoGoig%2ByR6U0x3Rw%2BO6qbjpRlUVGIBK0gZmWWQ%3D&amp;user%5Bemail%5D=steve&amp;user%5Bpassword%5D=mycoolpass&amp;user%5Bremember_me%5D=0&amp;commit=Go

nathe · Answer

Just out of interest, are you certain this irule works? The HTTP:: host command doesn't have CLIENT_ACCEPTED as a valid event. What about if u use HTTP_REQUEST??

tsoi_94459 · Answer

Thx @nathan. Typo in my example, I am actually doing that in a HTTP_REQUEST block... on another note. I can't seem to edit my post -- "Uncaught Sys.WebForms.PageRequestManagerParserErrorException: Sys.WebForms.PageRequestManagerParserErrorException: The message received from the server could not be parsed. Common causes for this error are when the response is modified by calls to Response.Write(), response filters, HttpModules, or server trace is enabled."

nathe · Answer

Thanks for clarifying. Does a tcpdump on the bigip offer any useful info?

tsoi_94459 · Answer

Great idea, Nathan. Looks like we lose the POST data between the last F5 virtual server and the pool member.

The traffic goes to vs_parent_somesite_443 (where the rule above lives) -&gt; vs_child_somesite -&gt; pool member

....../Common/vs_parent_somesite_443

18:41:00.710491 IP 1.2.3.4.47813 &gt; 3.4.5.6.http: P 0:945(945) ack 1 win 4380  in slot1/tmm1 lis=/Common/vs_child_somesite
....E...Z.@...b.
 .=...j...P...5Yi`U...........
$..&amp;$..&amp;POST /signin HTTP/1.1
Host: somesite.myawesomedomain.com
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: https://somesite.myawesomedomain.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: https://somesite.myawesomedomain.com/signin
Accept-Language: en-US,en;q=0.8
Cookie: _session=s1092tyahglskghado1i2
X-Forwarded-For: 1.2.3.4

b2
utf8=%E2%9C%93&amp;authenticity_token=kflcZfoGoig%2ByR6U0x3Rw%2BO6qbjpRlUVGIBK0gZmWWQ%3D&amp;user%5Bemail%5D=steve&amp;user%5Bpassword%5D=mycoolpass&amp;user%5Bremember_me%5D=0&amp;commit=Go

......./Common/vs_child_somesite
18:41:00.710914 IP myexternalip.somesite.com.47813 &gt; a-pool-member-ip.http: P 2845897884:2845898674(790) ack 1803219730 win 4380  out slot1/tmm1 lis=/Common/vs_child_somesite
....E..JZ.@....y
...
......P....kz......0......
$..&amp;..q.POST /signin HTTP/1.1
Host: somesite.myawesomedomain.com
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: https://somesite.myawesomedomain.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: https://somesite.myawesomedomain.com/signin
Accept-Language: en-US,en;q=0.8
Cookie: _session=s1092tyahglskghado1i2
X-Forwarded-For: 1.2.3.4
X-Forwarded-For: 1.2.3.4

......./Common/vs_child_somesite

amit_karnik · Answer

Can you do a specific conditional check of the host header value against the vlaue you want to use, for e.g.&nbsp;
if { [HTTP::host] equals "the exact string" } {
log something
}&nbsp;
Test it with a value which is not working. If this conditional is not met when it should, then the Host header value might be URL encoded. So try decoding the URL and do the if test again.&nbsp;

Forum Discussion

Missing POST Parameters

9 Replies

Recent Discussions

Need advise to setup a policy on F5

Web acceleration

What are the different phases in DevOps?

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Related Content

The Case of the Missing F5 AMI : F5 BIG-IP AMI Lifecycle Events

Brute Force protection for single parameter like OTP

server_name extension missing from Client Hello

Net Trunk API Status Field Missing

Wildcard Parameter signature attack