ltm profile http
ltm profile http(1) BIG-IP TMSH Manual ltm profile http(1)
NAME
http - Configures an HTTP profile.
MODULE
ltm profile
SYNTAX
Configure the http component within the ltm profile module using the syntax shown in the following sections.
CREATE/MODIFY
create http [name]
modify http [name]
options:
accept-xff [disabled | enabled]
app-service [[string] | none]
basic-auth-realm [ ["string"] | none]
defaults-from [ [name] | none]
description [string]
encrypt-cookie-secret [none | [passphrase] ]
encrypt-cookies
[add | delete | replace-all-with] {
[cookie] ...
}
encrypt-cookies none
enforcement {
options:
rfc-compliance [disabled | enabled]
allow-ws-header-name [disabled | enabled]
excess-client-headers [disabled | enabled]
excess-server-headers [disabled | enabled]
max-header-size [integer]
max-header-count [integer]
max-requests [integer]
oversize-client-headers [disabled | enabled]
oversize-server-headers [disabled | enabled]
pipeline [allow | pass-through | reject]
truncated-redirects [disabled | enabled]
unknown-method [allow | pass-through | reject]
known-methods
[add | delete | replace-all-with] {
[HTTP method] ...
}
}
fallback-host [ [hostname] | none]
fallback-status-codes
[add | delete | replace-all-with] {
[fallback status code]...
}
fallback-status-codes none
header-erase [none | [string] ]
header-insert [none | [string] ]
insert-xforwarded-for [disabled | enabled]
lws-separator [none | string ]
lws-width [integer]
oneconnect-transformations [disabled | enabled]
oneconnect-status-reuse ["string"]
proxy-type [reverse | explicit | transparent]
redirect-rewrite [all | matching | nodes | none]
request-chunking [rechunk | sustain ]
response-chunking [rechunk | sustain | unchunk]
response-headers-permitted
[add | delete | replace-all-with] {
[response header] ...
}
response-headers-permitted none
server-agent-name [string]
explicit-proxy {
options:
enabled [no | yes]
dns-resolver [dns-resolver]
ipv6 [no | yes]
tunnel-name [tunnel]
route-domain [route-domain]
default-connect-handling [deny | allow]
tunnel-on-any-request [no | yes]
connect-error-message ["string"]
dns-error-message ["string"]
bad-request-message ["string"]
bad-response-message ["string"]
}
sflow {
options:
poll-interval [integer]
poll-interval-global [no | yes]
sampling-rate [integer]
sampling-rate-global [no | yes]
}
via-host-name [string]
via-request [append | preserve | remove]
via-response [append | preserve | remove]
xff-alternative-names
[add | delete | replace-all-with] {
[xff alternative name] ...
}
hsts {
options:
mode [enabled | disabled]
maximum-age [integer]
include-subdomains [enabled | disabled]
preload [enabled | disabled]
}
edit http [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
mv http [ [[source-name] [destination-name]] | [[name] to-folder [folder-name]] | [[name...name] to-folder [folder-name]] ]
options:
to-folder
reset-stats http
reset-stats http [ [ [name] | [glob] | [regex] ] ... ]
DISPLAY
list http
list http [ [ [name] | [glob] | [regex] ] ... ]
show running-config http
show running-config http [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
show http
show http [ [ [name] | [glob] | [regex] ] ... ]
options:
(default | exa | gig | kil | meg | peta | raw | tera | yotta | zetta)
field-fmt
global
DELETE
delete http [name]
DESCRIPTION
You can use the http component to create, modify, display, or delete an HTTP profile.
The BIG-IP(r) system installation includes the following default HTTP-type profiles:
http
The default HTTP profile contains values for properties related to managing HTTP traffic.
You can create a new HTTP-type profile using an existing profile as a parent profile, and then you can change the values of
the properties to suit your needs.
EXAMPLES
create http my_http_profile defaults-from http
Creates a custom HTTP profile named my_http_profile that inherits its settings from the system default HTTP profile.
mv http /Common/my_http_profile to-folder /Common/my_folder
Moves a custom HTTP profile named my_http_profile to a folder named my_folder, where my_folder has already been created and
exists within /Common.
Please refer to the mv manual page for examples on how to use the mv command.
OPTIONS
accept-xff
Enables or disables trusting the client IP address, and statistics from the client IP address, based on the request's
XFF (X-forwarded-for) headers, if they exist.
app-service
Specifies the name of the application service to which the profile belongs. The default value is none. Note: If the
strict-updates option is enabled on the application service that owns the object, you cannot modify or delete the
profile. Only the application service can modify or delete the profile.
basic-auth-realm
Specifies a quoted string for the basic authentication realm. The system sends this string to a client whenever
authorization fails. The default value is none.
defaults-from
Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings and values
from the parent profile specified. The default value is http.
description
User defined description.
encrypt-cookie-secret
Specifies a passphrase for the cookie encryption. The default value is none.
encrypt-cookies
Specifies to encrypt specific cookies that the BIG-IP system sends to a client system. The default value is none.
enforcement
Specifies protocol enforcement options for the HTTP profile:
rfc-compliance
Specifies the behavior when non-rfc compliant traffic is seen. The default is disabled which ignores rfc non-
compliance.
excess-client-headers
Specifies the pass-through behavior when max-header-count is exceeded by the client. The default is disabled
which rejects the connection.
excess-server-headers
Specifies the pass-through behavior when max-header-count is exceeded by the server. The default is disabled
which rejects the connection.
unknown-method
Specifies the behavior when an unknown method is seen. The default is allow which allows all methods, (known or
unknown).
known-methods
Specifies the HTTP methods known by the HTTP filter. Combine with the unknown-method field to control behavior
when unusual methods are parsed.
max-header-size
Specifies the maximum header size. The default value is 32768.
max-header-count
Specifies the maximum number of headers in HTTP request or response that will be handled. If client or server
sends request or response with the number of headers greater then specified, the connection will be dropped. The
default value is 64.
max-requests
Specifies the number of requests that the system accepts on a per-connection basis. The default value is 0
(zero), which means the system does not limit the number of requests per connection.
oversize-client-headers
Specifies the pass-through behavior when max-header-size is exceeded by the client. The default is disabled which
rejects the connection.
oversize-server-headers
Specifies the pass-through behavior when max-header-size is exceeded by the server. The default is disabled which
rejects the connection.
pipeline
Enables or disables HTTP/1.1 pipelining. If pass-through is chosen, then the HTTP filter will switch to pass
through mode (and be disabled) if pipelined data is seen. The default value is allow, which means that clients
can make requests even when prior requests have not received a response. In order for this to succeed, however,
destination servers must include support for pipelining.
to-folder
http profiles can be moved to any folder under /Common, but configuration dependencies may restrict moving the
profile out of /Common.
truncated-redirects
Specifies the pass-through behavior when a redirect lacking the trailing carriage-return and line feed pair at
the end of the headers is parsed. The default is disabled, which will silently drop the invalid HTTP.
unknown-method
Specifies the behavior (allow, reject, or pass-through) when an unknown HTTP method is parsed. The default is to
allow unknown methods.
fallback-host
Specifies an HTTP fallback host. The default value is none.
With HTTP redirection, you can redirect HTTP traffic to another protocol identifier, host name, port number, or URI
path. For example, if all members of a targeted pool are unavailable (that is, the members are disabled, marked as
down, or have exceeded their connection limit), the system can redirect the HTTP request to the fallback host, with
the HTTP reply Status Code 302 Found.
fallback-status-codes
Specifies one or more three-digit status codes that can be returned by an HTTP server. The default value is none.
glob Displays the items that match the glob expression. See help glob for a description of glob expression syntax.
header-erase
Specifies the header string that you want to erase from an HTTP request. The default value is none.
header-insert
Specifies a quoted header string that you want to insert into an HTTP request. The default value is none.
The HTTP header being inserted can include a client IP address. Including a client IP address in an HTTP header is
useful when a connection goes through a secure network address translation (SNAT) and you need to preserve the
original client IP address. When you assign the configured HTTP profile to a virtual server, the system then inserts
the header specified by the profile into any HTTP request that the system sends to a pool or pool member.
insert-xforwarded-for
Enables or disables insertion of an X-Forwarded-For header. The default value is disabled.
When using connection pooling, which allows clients to make use of other client requests' server connections, you can
insert the X-Forwarded-For header and specify a client IP address.
lws-separator
Specifies the linear white space separator that the system uses between HTTP headers when a header exceeds the maximum
width specified in the lws-width option. The valid value should be none, or, any combination of cr(carriage return),
lf(line feed), or sp(space). The default value is none.
lws-width
Specifies the maximum number of columns that a header that is inserted into an HTTP request can have. The default
value is 80.
name Specifies a unique name for the component. This option is required for the commands create, delete, and modify.
oneconnect-transformations
Specifies whether the system performs HTTP header transformations for the purpose of keeping server-side connections
open. The default value is enabled. This feature requires configuration of a OneConnect(tm) profile.
oneconnect-status-reuse
Specifies the 2xx and 4xx HTTP status codes that permit a server-side connection to be reused by OneConnect. The
default value is "200 206". This feature requires configuration of a OneConnect(tm) profile.
partition
Displays the partition within which the component resides.
redirect-rewrite
Specifies which of the application HTTP redirects the system rewrites to HTTPS. The options are:
all Specifies to rewrite all application redirects to HTTPS.
matching
Specifies to rewrite to HTTPS only application redirects that match the original URI exactly.
nodes
If the URI contains a node IP address, instead of a host name, specifies that the system rewrites the node IP
address to the virtual server IP address.
none Specifies that the system does not rewrite to HTTPS any application HTTP redirects. This is the default value.
Use this feature when an application is generating HTTP redirects that send the client to HTTP (a non-secure channel)
when you want the client to continue accessing the application using HTTPS (a secure channel). This is a common
occurrence when using client SSL processing on a BIG-IP system.
regex
Displays the items that match the regular expression. The regular expression must be preceded by an at sign (@[regular
expression]) to indicate that the identifier is a regular expression. See help regex for a description of regular
expression syntax.
request-chunking
Specifies how to handle chunked and unchunked requests. The default value is sustain. The options are described under
response-chunking.
response-chunking
Specifies how to handle chunked and unchunked responses. The default value is sustain. The options are:
unchunk
If the response is chunked, this option unchunks the response, processes the HTTP content, and passes the
response on as unchunked. The Keep-Alive value for the Connection header is not supported, and therefore the
system sets the value of the header to close.
If the response is unchunked, the LTM system processes the HTTP content and passes the response on untouched.
rechunk
If the request or response is chunked, the system unchunks the request or response, processes the HTTP content,
re-adds the chunk trailer headers, and then passes on the request or response as chunked. Any chunk extensions
are lost.
If the request or response is unchunked, the system adds transfer encoding and chunking headers on egress.
sustain
Preserve request or response chunking unless there is a command to modify the body. If the request or response is
chunked: unchunk the HTTP content, process the data, re-add chunking headers on egress. Chunk extensions will be
lost. When the response is chunked, it can be rechunked on egress to the client.
response-headers-permitted
Specifies headers that the BIG-IP system allows in an HTTP response. The default value is none.
explicit-proxy
Specifies explicit settings for the HTTP profile:
enabled
Specifies whether the explicit proxy service is enabled or disabled. The default it is no.
dns-resolver
Specifies the dns-resolver object that will be used to resolve hostnames in proxy requests. The default is dns-
resolver.
ipv6 Specifies the relative order of IPv4 and IPv6 DNS resolutions for URIs. The default is no, which will try a IPv4
lookup before a IPv6.
tunnel-name
Specifies the tunnel that will be used for outbound proxy requests. This enables other virtual servers to receive
connections initiated by the proxy service. The default is http-tunnel.
route-domain
Specifies the route-domain that will be used for outbound proxy requests. The default is 0.
default-connect-handling
Specifies the behavior of the proxy service for CONNECT requests. If set to deny, CONNECT requests will only be
honored if there is another virtual server listening for the requested outbound connection. If set to allow
outbound connections will be made regardless of other virtual servers. The default is deny.
tunnel-on-any-request
Specifies that the tunnel will be used for non-CONNECT requests. If set to yes, virtual servers listening on a
tunnel will be able to receive any requests and default-connect-handling option effect will be extended to all
outbound proxy requests. The default is no.
host-names
Specifies the which host names are to be treated as local. Proxy requests made for those hosts will be treated as
regular HTTP requests and will be sent to the configured default pool.
connect-error-message
Specifies the error message that will be returned to the browser when a proxy request can't be completed because
of a failure to establish the outbound connection.
dns-error-message
Specifies the error message that will be returned to the browser when a proxy request can't be completed because
of a failure to resolve the hostname in the request.
bad-request-message
Specifies the error message that will be returned to the browser when a proxy request can't be completed because
the request was malformed.
bad-response-message
Specifies the error message that will be returned to the browser when a proxy request can't be completed because
the response was malformed.
sflow
Specifies sFlow settings for the HTTP profile:
poll-interval
Specifies the maximum interval in seconds between two pollings. The default value is 0. To enable this setting,
you must also set the poll-interval-global setting to no.
poll-interval-global
Specifies whether the global HTTP poll-interval setting, which is available under sys sflow global-settings
module, overrides the object-level poll-interval setting. The default value is yes.
The available values are:
no Specifies to use the object-level poll-interval setting.
yes Specifies to use the global HTTP poll-interval setting.
sampling-rate
Specifies the ratio of packets observed to the samples generated. For example, a sampling rate of 2000 specifies
that 1 sample will be randomly generated for every 2000 packets observed. The default value is 0. To enable this
setting, you must also set the sampling-rate-global setting to no.
sampling-rate-global
Specifies whether the global HTTP sampling-rate setting, which is available under sys sflow global-settings
module, overrides the object-level sampling-rate setting. The default value is yes.
The available values are:
no Specifies to use the object-level sampling-rate setting.
yes Specifies to use the global HTTP sampling-rate setting.
via-host-name
Specifies the hostname that will be used in the Via: HTTP header. See via-request and via-response for how the Via:
header will be handled. If either via-request or via-response are set to append, then this is required.
via-request
Specifies how you want to process Via: HTTP header in requests sent to OWS. The default setting is remove. The
available values are:
append
The value from via-host-name is appended to the Via: HTTP header.
preserve
Via: HTTP header is preserved without changes.
remove
Via: HTTP header is removed from the request.
via-response
Specifies how you want to process Via: HTTP header in responses sent to clients. The default setting is remove. The
available values are the same as in via-request.
server-agent-name
Specifies the string used as the server name in traffic generated by LTM. The default value is BigIP.
alternative-xff-names
Specifies alternative XFF headers instead of the default X-forwarded-for header.
hsts Specifies HSTS settings for the HTTP profile:
mode Specifies if the HSTS settings are enabled or disabled. The default is disabled.
maximum-age
Specifies the maximum age to be sent in the HSTS header. The default is 16070400.
include-subdomains
Specifies if the includeSubdomains directive is sent in the HSTS header. The default is enabled.
preload
Specifies if the preload directive is sent in the HSTS header. The default is disabled.
SEE ALSO
create, delete, edit, glob, list, ltm profile fasthttp, ltm virtual, modify, mv, regex, reset-stats, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2016. All rights reserved.
BIG-IP 2020-11-16 ltm profile http(1)