Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP Header problem - iv-groups #1362

Closed
Scoi4101 opened this issue Jun 17, 2020 · 3 comments
Closed

HTTP Header problem - iv-groups #1362

Scoi4101 opened this issue Jun 17, 2020 · 3 comments
Assignees
@agupta49
Labels
help wanted service request service request opened untriaged no JIRA created

Comments

@Scoi4101
Copy link

Scoi4101 commented Jun 17, 2020
edited

Setup Details

CIS Version : 2.0
Build: f5networks/k8s-bigip-ctlr:2.0
BIGIP Version: Big-IP version v14.1.2.3
AS3 Version: 3.18
Agent Mode: AS3
Orchestration: OSCP
Orchestration Version: 4.3
Pool Mode: Cluster

Description

When using Edge termination and the client request includes an HTTP Header that is similar to the below then the openshift_passthrough_irule has a TCL error and terminate the TCP connection. Removing this HTTP Header allow the connection to pass.

HTTP Header iv-groups
'iv-groups: "s-abcd_1234","s-abcd_4567","s-efgh_1234","s-efgh_5678" '

This error is logged in /var/log/ltm when the connection is terminated:

Jun 16 16:26:19 slot2/ABC-OpenShift-LTM-1A err tmm1[11390]: 01220001:3: TCL error: /gp_1_nonprod_cis_AS3/Shared/openshift_passthrough_irule <CLIENTSSL_DATA> - list element in quotes followed by ","s-abcd_1234" instead of space while executing "lindex [SSL::payload] 1"

Steps To Reproduce

6 - Curl Using the iv-groups header - fails

curl -vik -H "accept-language: en-US,en;q=0.9"
-H "connection: Upgrade"
-H "host: blah.mydns.com"
-H 'iv-groups: "s-abcd_1234","s-abcd_4567","s-efgh_1234","s-efgh_5678" '
-H "iv-user: ZABCD123"
--resolve blah.mydns.com:443:10.1.1.2 https://blah.mydns.com

7 - Curl NOT Using the iv-groups header - Works

curl -vik -H "accept-language: en-US,en;q=0.9"
-H "connection: Upgrade"
-H "host: blah.mydns.com"
-H "iv-user: ZABCD123"
--resolve blah.mydns.com:443:10.1.1.2 https://blah.mydns.com

Expected Result

We get a response

Actual Result

TCP Connection is closes

Diagnostic Information

<Configuration files, error messages, logs>
Note: Sanitize the data. For example, be mindful of IPs, ports, application names and URLs
Note: The following F5 article outlines the information required when opening an issue.
https://support.f5.com/csp/article/K60974137

Observations (if any)
@Scoi4101 Scoi4101 added bug untriaged no JIRA created labels Jun 17, 2020
@cisbotctlr
Copy link
Contributor

cisbot will assign the issue to one of the devs.
@devs, use /jira for internal tracking.

@cisbotctlr cisbotctlr removed the bug label Jun 17, 2020
@mdditt2000
Copy link
Contributor

SR Opened for this issue 1-6433914661

@mdditt2000 mdditt2000 added the service request service request opened label Jun 30, 2020
@mdditt2000
Copy link
Contributor

Closing Github issue so there is no duplicate effort created. The SR will take a higher priority. F5 support requested to reproduce this issue and determine if its the CIS iRule or TLS policy that is dropping the header

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@agupta49 agupta49

Labels
help wanted service request service request opened untriaged no JIRA created
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mdditt2000 @Scoi4101 @agupta49 @cisbotctlr