STREAM::enable

Description¶

Enables the stream filter for the life of the current TCP flow or until disabled with STREAM::disable. You must precede this command with a STREAM::expression command. The virtual server must have a Stream Profile attached (the default Stream Profile

/Common/stream

is sufficient).

Syntax¶

STREAM::enable

STREAM::enable¶

Enables the stream filter for the life of the current TCP flow or until disabled with STREAM::disable. You must precede this command with a STREAM::expression command.

Configuration requirements:
1. The virtual server must have a Stream Profile attached. The default
Stream Profile

/Common/stream

is sufficient.
2. (The following restriction is completely obsolete.) For TMOS
version 9.4.0 and all previous (older) versions, you must force BIG-IP
to use chunking and therefore remove the response content length
header. This can be done by applying a custom HTTP profile to the
virtual server with Response Chunking set to “Rechunk”. (See
SOL6422
for details.)
3. The stream profile can have different states (enabled vs disabled)
on each side of the connection. Calling STREAM::enable in HTTP_REQUEST
will apply the stream profile to the client-side for HTTP requests
coming in towards the server. Calling STREAM::enable in HTTP_RESPONSE
will apply the stream profile on the server-side for HTTP responses
going out towards the client.

Version Specific Notes¶

LTM 9.2 - 9.2.4	The Stream filter uses TCL to parse and replace data. TCL has a 4Mb limit for a single allocation or connection. When this limit is exceeded, TMM will crash. See AskF5 SOL6741 (CR55382 and CR70146) for details and a workaround. This issue was resolved in 9.2.5, 9.3 and 9.4+
LTM 9.3.1+, 9.4.2+	STREAM::enable must be called after STREAM::expression. See CR79374

Examples¶

See the STREAM::expression page for additional examples.

To check HTTP responses with a Content-Type that contains text, and replace http:// with https://:

when HTTP_REQUEST {

   # Explicitly disable the stream profile for each client-side request so it doesn't stay
   #   enabled for subsequent HTTP requests on the same TCP connection.
   STREAM::disable
}
when HTTP_RESPONSE {
   # Explicitly disable the stream profile for each server-side response so it doesn't stay
   #   enabled for subsequent HTTP responses on the same TCP connection.
STREAM::disable

   # Apply stream profile against text responses from the application
   if { [HTTP::header value Content-Type] contains "text" }{

      # Look for http:// and replace it with https://
      STREAM::expression {@http://@https://@}

      # Enable the stream profile
      STREAM::enable
   }
}
# This section only logs matches, and should be removed before using the rule in production.
when STREAM_MATCHED {
   log local0. "Matched: [STREAM::match]"
}

If you only want to replace some http:// links with https://, you can specify a more complex regular expression in the ‘find’ portion of the STREAM::expression. For example, to match all http:// links except http://schemas.microsoft.com/intellisense/ie5, you can use a negative look behind in the regex:

http:(?!//schemas\.microsoft\.com/intellisense/ie5)

Related Information¶

Valid Events:

Warning

The links to the sample code below are remnants of the old DevCentral wiki and will result in a 404 error. For best results, please copy the link text and search the codeshare directly on DevCentral.

Sample Code:

Credit Card Scrubber Using a Stream Profile - This iRule illustrates how to scrub out Credit Card Numbers from HTTP traffic using a STREAM profile.
Data Leakage Protection - Scrub sensitive data from application responses
Gomez Injection - Auto injection of Gomez Networks Actual XF client side Javascript.
Gomez Injection With Group Id - Auto injection of Gomez Networks Actual XF client side Javascript.
Gomez Injection With Page Id - The following iRule will utilize the Stream profile to auto-inject the required client side Gomez Networks performance measurement JavaScript code
HTML comment scrubber using a stream profile - Removes HTML comments from server responses
HTTPS offload rewriting - Rewrite an HTTP web application’s self references from http:// to https://
Parse username from HTTP requests - Parse the username from HTTP requests in the basic auth header and POST data
ProxyPass (for LTM v9 only) - iRule to replace the functionality of Apache Webserver ProxyPass and ProxyPassReverse functions
ProxyPass Lite - This iRule implements a limited subset of the full ProxyPassV10 iRule:
ProxyPass v10/v11 - iRule (for LTM v10/v11) to replace the functionality of Apache Webserver ProxyPass and ProxyPassReverse functions allowing for a different server and client view of your web application(s).
Redirect Trapper - iRule to trap server redirect response, follow the redirect on the BIG-IP and return the followed response to the client as a result of original request
Uri version mapping - This rule implements a stripped down set of functionality of the ProxyPass …
Javascript Insert v10+ - This is irule that was slightly altered together to insert Javascript code …

Introduced: BIGIP-9.2.0

The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.