I am experiencing a somewhat odd situation. I created an HTTP profile and setup a name value pair in the Request Header Insert (SSL_ENV:On). When I debug in Fiddler to see if the header is inserted, I don't see anything which is really strange. So I went the iRule route and tried to test if the header was set and if it wasn't set it to On: when HTTP_REQUEST { set myhost [HTTP::host] set myuri [HTTP::uri] if { ![HTTP::header "SSL_ENV"] equals "On" } { HTTP::header insert SSL_ENV On log local0. "HEADER HTTPVS: [HTTP::header "SSL_ENV"]" } else { if { $myuri starts_with "/API" } { log local0. "URL: $myuri going to non_ssl pool" pool pool_one_80 } else { HTTP::redirect "https://$myhost$myuri" } } } It throws a strange error on the ![HTTP::header [undefined procedure: !HTTP::header] [!HTTP::header "SSL_ON"] I thought inserting a header would be really straight forward and easy, but somehow I am missing something. Thoughts? BTW: I created the same rule in SSL and HTTP to check if the header didn't exist and then create it. Still no dice.

Hi Wes, Try modifying this one line to seperate the functions: FROM: if { ![HTTP::header "SSL_ENV"] equals "On" } { TO: if { !([HTTP::header "SSL_ENV"] equals "On") } { This will allow the Header value to be found and its value determined first, then does the not compare. Hope this helps.

When I debug in Fiddler to see if the header is inserted, I don't see anything which is really strange. It's not so strange as it might look. Besides to syntax error in the iRule (see comment of Michael Yates), Fiddler is the wrong place to look for the header. Fiddler runs on the client and the iRule inserts the HTTP Request header only into requests to the backend servers. So there is no chance to see those modifications in Fiddler at the client. As soon as your iRule works, you could add the following log statement to show the whole request, including any headers: log local0. "[HTTP::request]" Simply put that at the end of HTTP_REQUEST. Regards Kurt Knochner

That makes total sense then regarding the HEADER debugging, and the code change above. The strange thing is the variable doesn't seem to remain static once set. I wonder if I have to do both on the HTTP_RESPONSE as well as REQUEST.

The strange thing is the variable doesn't seem to remain static once set. That's true, as this is just a HTTP request header. That's not "persistent" like a cookie. I wonder if I have to do both on the HTTP_RESPONSE as well as REQUEST. Why would you want to do that? The client (a browser) will not take care about any special HTTP header, even if you set it in HTTP_RESPONSE, unless you have javascript or activex code running in the browser that checks that header. In general you are inserting a certain HTTP request header to add some information to a request. This additional information will be used by the backend application to perform additional operations if that information is present. Based on the name of your header I assume you want to tell the backend application if the original request has been encrypted or not. This will have a meaning for the backend application but not for the client. Hope that helps. Regards Kurt Knochner

Make sense, yes the header is telling the backend servers to maintain a secure session, we recently moved to F5 from a different vendor and it would appear that the header variable (ASP server variable) may be displayed differently. The team is checking using something like the following: if Request.ServerVariables("SSL_ENV")="On" then When I dump the REQUEST in the iRule I see the following: SSL_ENV: On It appears F5 is appending the variable with a :, but if I check the value on the F5 in an iRule (e.g., if it exists), the boolean will return true if I specify variable = "On", but the code doesn't see that. Not sure if the : is the culprit or what. Regarding the RESPONSE yes you are correct, there is no client side work going on, this is all on the backend for each request that comes through.

Header Inserts | DevCentral

20 Replies

Wes_98712
Nimbostratus
Nov 09, 2011
Kurt, we switched from Barracuda. Here's an update.

I ended up using the http profile header insert and noticed a few interesting things when we debugged the ASP server variables. When we dump the ASP server variables we actually see that somehow HTTP_ is prepended before the header so it looks like HTTP_SSL_ENV, the RAW dump actually shows the exact name. Which is interesting, however, what is really strange is that both the HTTP header dump and the RAW dump show the value of the header, but when we loop through the variables:

for each x in Request.ServerVariables response.write(x & "*" & Request.ServerVariables(x) & "* ") next

the actual value doesn't display for SSL_ENV, it shows up as:

HTTP: HTTP_SSL_ENV:On *

RAW: HTTP_SSL_ENV:On *

But when we loop through the headers the output of the SSL_ENV is:

HTTP_SSL_ENV**

Some how it's not getting the value of the header.
Wes_98712
Nimbostratus
Nov 09, 2011
More on this, it seems as though the Request.ServerVariables isn't pulling the value of the SSL_ENV header. The RAW output shows it, but not the actual Request.ServerVariables(x). I don't believe this is an F5 issue, I did validate that I set the header insert correctly in the profile (SSL_ENV: On). Stumped!
Wes_98712
Nimbostratus
Nov 09, 2011
Another update, after a lot of testing we discovered something odd about the way F5 is inserting the header value

If we use an iRule (HTTP::header insert SSL_ENV On) or if we set the Request Header Insert in the http profile (SSL_ENV: On) either way F5 can see the header and reports that the value is set to On, but the server can't see the value:

if Request.ServerVariables("HTTP_SSL_ENV")="On" then response.write("WES Pass: " & Request.ServerVariables("HTTP_SSL_ENV") & " ") else response.write("WES Fail: " & Request.ServerVariables("HTTP_SSL_ENV:") & " ") end if

The output is always Wes Fail: (kind of ironic). But the ltm logs show the following if I capture the header value in the ltm log:

when HTTP_REQUEST { if { [HTTP::header "HTTP_SSL_ENV"] equals "On" } { log local0. "HEADER HTTPS is: [HTTP::header "HTTP_SSL_ENV"]" } }

Results:

Nov 9 15:29:36 tmm info tmm[7845]: Rule /Common/test_irule : HEADER HTTPS is: On

Nov 9 15:30:06 tmm info tmm[7845]: Rule /Common/test_irule : HEADER HTTPS is: On

Nov 9 15:30:46 tmm info tmm[7845]: Rule /Common/test_irule : HEADER HTTPS is: On

Nov 9 15:30:46 tmm info tmm[7845]: Rule /Common/test_irule : HEADER HTTPS is: On

Nov 9 15:31:38 tmm info tmm[7845]: Rule /Common/test_irule : HEADER HTTPS is: On

Nov 9 15:31:38 tmm info tmm[7845]: Rule /Common/test_irule : HEADER HTTPS is: On

So now I'm kind of stuck wondering why ASP can't read the value in the header using the ServerRequest function, but yet in RAW output or ALL_HTTP it can. Do I need to do something different with the header insert on the F5?
Wes_98712
Nimbostratus
Nov 09, 2011
And another interesting development. If the variable has an _ in it, for whatever reason ASP doesn't detect the value. The F5 inserts it in the header as best as I can tell, but the ASP Request.ServerVariable doesn't pick up the value. This is really odd. I don't know if this is a bug with the way F5 inserts headers or if it's an ASP issue.
nitass
Employee
Nov 10, 2011
i am not familiar with asp. anyway, would you mind trying this asp code?

Viewing all Server Variables for a Site

http://weblogs.asp.net/owscott/archive/2010/03/09/viewing-all-server-variables-for-a-site.aspx
Wes_98712
Nimbostratus
Nov 10, 2011
If I set it as a String and dump the output it works, which tells me what, it appears to be an encoding issue and not F5. Curious as to why it worked before with a different appliance. But whatever. ;-)
Kurt_Knochner_5
Cirrus
Nov 11, 2011

when HTTP_REQUEST { if { [HTTP::header "HTTP_SSL_ENV"] equals "On" } { log local0. "HEADER HTTPS is: [HTTP::header "HTTP_SSL_ENV"]" } }

Maybe I'm a bit confused now, but why are you looking for the header "HTTP_SSL_ENV" in the iRule?

The log statements tells me that the HTTP header "HTTP_SSL_ENV" was set, not "SSL_ENV" (see iRule above)!

Nov 9 15:29:36 tmm info tmm[7845]: Rule /Common/test_irule : HEADER HTTPS is: On

However, you should set the HTTP header to "SSL_ENV" in the iRule (or profile) on the F5, not "HTTP_SSL_ENV"!. ASP is just using a kind of translation machanism to view the HTTP headers as "variables". They do so by adding HTTP_ in front of the real HTTP header name.

So, on the F5 please add the header "SSL_ENV" and in your ASP code look for the variable "HTTP_SSL_ENV". Is this what you tried and still did not see the header value in your ASP code?

BTW: What do you mean by "If I set it as a String and dump the output it works"? Where do you set "it" as a string?

Regards

Kurt Knochner
Wes_98712
Nimbostratus
Nov 11, 2011
Kurt,

I tried that, no dice. If I set it to SSL_ENV it doesn't pick it up, in ASP code, but SSLENV does work. In fact I initially thought the issue was with the _ character because if I set the header to SSL it worked fine, SSL_ENV doesn't work but SSLENV does work. I understand the difference on the prepended HTTP_, but this is something beyond that.

What I mean by string is, in ASPX if I set the server variable as a String variable not varchar or int etc. it displays the entire string HTTP_SSL_ENV, if I simply Dim the variable and reference it, it doesn't display the value. I am not sure if this is an F5 issue or an ASP encoding issue at this point.
Michael_Yates
Nimbostratus
Nov 11, 2011
Hi Wes,

Take a look at these articles. I believe they may help you narrow down your issue. Especially the first article.

The problem should be clear now. The CGI 1.1 Specification defines a substitution of "-" in Request Header to "_" in Server Varible names, but what is the substitution of "_" in Request Headers in Server Variable???

HOWTO: Retrieve Request Headers using ISAPI, ASP, and ASP.Net

The WWW Common Gateway Interface Version 1.1

Hope these help.
Kurt_Knochner_5
Cirrus
Nov 11, 2011
HOWTO: Retrieve Request Headers using ISAPI, ASP, and ASP.Net

Good hint Michael!

Within the article they say:

"Notice that HTTP_ syntax only retrieves the header name with dashes, while HEADER_ syntax retrieves both headers with dashes and underscores individually"

"With ASP.Net, the Headers collection is the only way to get all the header values. HTTP_ prefix only retrieves the header name with dashes, as expected"

Wes, based on that information you should either stick with your solution (SSLENV), or

a.) add the header SSL-ENV on F5. Then you can retrieve the value with "HTTP_SSL-ENV" or "HEADER_SSL-ENV" in ASP code

b.) add the header SSL_ENV on F5. Then you can retrieve the value with "HEADER_SSL_ENV" in ASP code

more or less :-)

Regards

Kurt Knochner

Forum Discussion

Header Inserts

20 Replies

Recent Discussions

F5 APM / Connection to Provider via explicit proxy

When POST request access policy is used, it is not forwarded to the server behind.

gtm_add failing due to CERT error

ASM-legitimate traffic

Glycogen Control Australia Is Right For You See Here

Related Content

Security Headers Insertion

C3D and header insert

iRule Header Insert

iRule header insert

Insert Basic Auth Header