ltm profile http
ltm profile http(1) BIG-IP TMSH Manual ltm profile http(1)
NAME
http - Configures an HTTP profile.
MODULE
ltm profile
SYNTAX
Configure the http component within the ltm profile module using the
syntax shown in the following sections.
CREATE/MODIFY
create http [name]
modify http [name]
options:
accept-xff [disabled | enabled]
app-service [[string] | none]
basic-auth-realm [ ["string"] | none]
defaults-from [ [name] | none]
description [string]
encrypt-cookie-secret [none | [passphrase] ]
encrypt-cookies
[add | delete | replace-all-with] {
[cookie] ...
}
encrypt-cookies none
enforcement {
options:
excess-client-headers [disabled | enabled]
excess-server-headers [disabled | enabled]
max-header-size [integer]
max-header-count [integer]
max-requests [integer]
oversize-client-headers [disabled | enabled]
oversize-server-headers [disabled | enabled]
pipeline [allow | pass-through | reject]
truncated-redirects [disabled | enabled]
unknown-method [allow | pass-through | reject]
known-methods
[add | delete | replace-all-with] {
[HTTP method] ...
}
}
fallback-host [ [hostname] | none]
fallback-status-codes
[add | delete | replace-all-with] {
[fallback status code]...
}
fallback-status-codes none
header-erase [none | [string] ]
header-insert [none | [string] ]
insert-xforwarded-for [disabled | enabled]
lws-separator [none | string ]
lws-width [integer]
oneconnect-transformations [disabled | enabled]
oneconnect-status-reuse ["string"]
proxy-type [reverse | explicit | transparent]
redirect-rewrite [all | matching | nodes | none]
request-chunking [rechunk | sustain ]
response-chunking [rechunk | sustain | unchunk]
response-headers-permitted
[add | delete | replace-all-with] {
[response header] ...
}
response-headers-permitted none
server-agent-name [string]
explicit-proxy {
options:
enabled [no | yes]
dns-resolver [dns-resolver]
ipv6 [no | yes]
tunnel-name [tunnel]
route-domain [route-domain]
default-connect-handling [deny | allow]
connect-error-message ["string"]
dns-error-message ["string"]
bad-request-message ["string"]
bad-response-message ["string"]
}
sflow {
options:
poll-interval [integer]
poll-interval-global [no | yes]
sampling-rate [integer]
sampling-rate-global [no | yes]
}
via-host-name [string]
via-request [append | preserve | remove]
via-response [append | preserve | remove]
xff-alternative-names
[add | delete | replace-all-with] {
[xff alternative name] ...
}
hsts {
options:
mode [enabled | disabled]
maximum-age [integer]
include-subdomains [enabled | disabled]
preload [enabled | disabled]
}
edit http [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
mv http [ [[source-name] [destination-name]] | [[name] to-folder [folder-name]] | [[name...name] to-folder [folder-name]] ]
options:
to-folder
reset-stats http
reset-stats http [ [ [name] | [glob] | [regex] ] ... ]
DISPLAY
list http
list http [ [ [name] | [glob] | [regex] ] ... ]
show running-config http
show running-config http [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
show http
show http [ [ [name] | [glob] | [regex] ] ... ]
options:
(default | exa | gig | kil | meg | peta | raw | tera | yotta | zetta)
field-fmt
global
DELETE
delete http [name]
DESCRIPTION
You can use the http component to create, modify, display, or delete an
HTTP profile.
The BIG-IP(r) system installation includes the following default HTTP-
type profiles:
http
The default HTTP profile contains values for properties related to
managing HTTP traffic.
You can create a new HTTP-type profile using an existing profile as a
parent profile, and then you can change the values of the properties to
suit your needs.
EXAMPLES
create http my_http_profile defaults-from http
Creates a custom HTTP profile named my_http_profile that inherits its
settings from the system default HTTP profile.
mv http /Common/my_http_profile to-folder /Common/my_folder
Moves a custom HTTP profile named my_http_profile to a folder named
my_folder, where my_folder has already been created and exists within
/Common.
Please refer to the mv manual page for examples on how to use the mv
command.
OPTIONS
accept-xff
Enables or disables trusting the client IP address, and statistics
from the client IP address, based on the request's XFF
(X-forwarded-for) headers, if they exist.
app-service
Specifies the name of the application service to which the profile
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the profile. Only the application
service can modify or delete the profile.
basic-auth-realm
Specifies a quoted string for the basic authentication realm. The
system sends this string to a client whenever authorization fails.
The default value is none.
defaults-from
Specifies the profile that you want to use as the parent profile.
Your new profile inherits all settings and values from the parent
profile specified. The default value is http.
description
User defined description.
encrypt-cookie-secret
Specifies a passphrase for the cookie encryption. The default
value is none.
encrypt-cookies
Specifies to encrypt specific cookies that the BIG-IP system sends
to a client system. The default value is none.
enforcement
Specifies protocol enforcement options for the HTTP profile:
excess-client-headers
Specifies the pass-through behavior when max-header-count is
exceeded by the client. The default is disabled which rejects
the connection.
excess-server-headers
Specifies the pass-through behavior when max-header-count is
exceeded by the server. The default is disabled which rejects
the connection.
unknown-method
Specifies the behavior when an unknown method is seen. The
default is allow which allows all methods, (known or
unknown).
known-methods
Specifies the HTTP methods known by the HTTP filter. Combine
with the unknown-method field to control behavior when
unusual methods are parsed.
max-header-size
Specifies the maximum header size. The default value is
32768.
max-header-count
Specifies the maximum number of headers in HTTP request or
response that will be handled. If client or server sends
request or response with the number of headers greater then
specified, the connection will be dropped. The default value
is 64.
max-requests
Specifies the number of requests that the system accepts on a
per-connection basis. The default value is 0 (zero), which
means the system does not limit the number of requests per
connection.
oversize-client-headers
Specifies the pass-through behavior when max-header-size is
exceeded by the client. The default is disabled which rejects
the connection.
oversize-server-headers
Specifies the pass-through behavior when max-header-size is
exceeded by the server. The default is disabled which rejects
the connection.
pipeline
Enables or disables HTTP/1.1 pipelining. If pass-through is
chosen, then the HTTP filter will switch to pass through mode
(and be disabled) if pipelined data is seen. The default
value is allow, which means that clients can make requests
even when prior requests have not received a response. In
order for this to succeed, however, destination servers must
include support for pipelining.
to-folder
http profiles can be moved to any folder under /Common, but
configuration dependencies may restrict moving the profile
out of /Common.
truncated-redirects
Specifies the pass-through behavior when a redirect lacking
the trailing carriage-return and line feed pair at the end of
the headers is parsed. The default is disabled, which will
silently drop the invalid HTTP.
unknown-method
Specifies the behavior (allow, reject, or pass-through) when
an unknown HTTP method is parsed. The default is to allow
unknown methods.
fallback-host
Specifies an HTTP fallback host. The default value is none.
With HTTP redirection, you can redirect HTTP traffic to another
protocol identifier, host name, port number, or URI path. For
example, if all members of a targeted pool are unavailable (that
is, the members are disabled, marked as down, or have exceeded
their connection limit), the system can redirect the HTTP request
to the fallback host, with the HTTP reply Status Code 302 Found.
fallback-status-codes
Specifies one or more three-digit status codes that can be
returned by an HTTP server. The default value is none.
glob Displays the items that match the glob expression. See help glob
for a description of glob expression syntax.
header-erase
Specifies the header string that you want to erase from an HTTP
request. The default value is none.
header-insert
Specifies a quoted header string that you want to insert into an
HTTP request. The default value is none.
The HTTP header being inserted can include a client IP address.
Including a client IP address in an HTTP header is useful when a
connection goes through a secure network address translation
(SNAT) and you need to preserve the original client IP address.
When you assign the configured HTTP profile to a virtual server,
the system then inserts the header specified by the profile into
any HTTP request that the system sends to a pool or pool member.
insert-xforwarded-for
Enables or disables insertion of an X-Forwarded-For header. The
default value is disabled.
When using connection pooling, which allows clients to make use of
other client requests' server connections, you can insert the
X-Forwarded-For header and specify a client IP address.
lws-separator
Specifies the linear white space separator that the system uses
between HTTP headers when a header exceeds the maximum width
specified in the lws-width option. The valid value should be none,
or, any combination of cr(carriage return), lf(line feed), or
sp(space). The default value is none.
lws-width
Specifies the maximum number of columns that a header that is
inserted into an HTTP request can have. The default value is 80.
name Specifies a unique name for the component. This option is required
for the commands create, delete, and modify.
oneconnect-transformations
Specifies whether the system performs HTTP header transformations
for the purpose of keeping server-side connections open. The
default value is enabled. This feature requires configuration of a
OneConnect(tm) profile.
oneconnect-status-reuse
Specifies the 2xx and 4xx HTTP status codes that permit a server-
side connection to be reused by OneConnect. The default value is
"200 206". This feature requires configuration of a OneConnect(tm)
profile.
partition
Displays the partition within which the component resides.
redirect-rewrite
Specifies which of the application HTTP redirects the system
rewrites to HTTPS. The options are:
all Specifies to rewrite all application redirects to HTTPS.
matching
Specifies to rewrite to HTTPS only application redirects that
match the original URI exactly.
nodes
If the URI contains a node IP address, instead of a host
name, specifies that the system rewrites the node IP address
to the virtual server IP address.
none Specifies that the system does not rewrite to HTTPS any
application HTTP redirects. This is the default value.
Use this feature when an application is generating HTTP redirects
that send the client to HTTP (a non-secure channel) when you want
the client to continue accessing the application using HTTPS (a
secure channel). This is a common occurrence when using client SSL
processing on a BIG-IP system.
regex
Displays the items that match the regular expression. The regular
expression must be preceded by an at sign (@[regular expression])
to indicate that the identifier is a regular expression. See help
regex for a description of regular expression syntax.
request-chunking
Specifies how to handle chunked and unchunked requests. The
default value is sustain. The options are described under
response-chunking.
response-chunking
Specifies how to handle chunked and unchunked responses. The
default value is sustain. The options are:
unchunk
If the response is chunked, this option unchunks the
response, processes the HTTP content, and passes the response
on as unchunked. The Keep-Alive value for the Connection
header is not supported, and therefore the system sets the
value of the header to close.
If the response is unchunked, the LTM system processes the
HTTP content and passes the response on untouched.
rechunk
If the request or response is chunked, the system unchunks
the request or response, processes the HTTP content, re-adds
the chunk trailer headers, and then passes on the request or
response as chunked. Any chunk extensions are lost.
If the request or response is unchunked, the system adds
transfer encoding and chunking headers on egress.
sustain
Preserve request or response chunking unless there is a
command to modify the body. If the request or response is
chunked: unchunk the HTTP content, process the data, re-add
chunking headers on egress. Chunk extensions will be lost.
When the response is chunked, it can be rechunked on egress
to the client.
response-headers-permitted
Specifies headers that the BIG-IP system allows in an HTTP
response. The default value is none.
explicit-proxy
Specifies explicit settings for the HTTP profile:
enabled
Specifies whether the explicit proxy service is enabled or
disabled. The default it is no.
dns-resolver
Specifies the dns-resolver object that will be used to
resolve hostnames in proxy requests. The default is dns-
resolver.
ipv6 Specifies the relative order of IPv4 and IPv6 DNS resolutions
for URIs. The default is no, which will try a IPv4 lookup
before a IPv6.
tunnel-name
Specifies the tunnel that will be used for outbound proxy
requests. This enables other virtual servers to receive
connections initiated by the proxy service. The default is
http-tunnel.
route-domain
Specifies the route-domain that will be used for outbound
proxy requests. The default is 0.
default-connect-handling
Specifies the behavior of the proxy service for CONNECT
requests. If set to deny, CONNECT requests will only be
honored if there is another virtual server listening for the
requested outbound connection. If set to allow outbound
connections will be made regardless of other virtual servers.
The default is deny.
host-names
Specifies the which host names are to be treated as local.
Proxy requests made for those hosts will be treated as
regular HTTP requests and will be sent to the configured
default pool.
connect-error-message
Specifies the error message that will be returned to the
browser when a proxy request can't be completed because of a
failure to establish the outbound connection.
dns-error-message
Specifies the error message that will be returned to the
browser when a proxy request can't be completed because of a
failure to resolve the hostname in the request.
bad-request-message
Specifies the error message that will be returned to the
browser when a proxy request can't be completed because the
request was malformed.
bad-response-message
Specifies the error message that will be returned to the
browser when a proxy request can't be completed because the
response was malformed.
sflow
Specifies sFlow settings for the HTTP profile:
poll-interval
Specifies the maximum interval in seconds between two
pollings. The default value is 0. To enable this setting, you
must also set the poll-interval-global setting to no.
poll-interval-global
Specifies whether the global HTTP poll-interval setting,
which is available under sys sflow global-settings module,
overrides the object-level poll-interval setting. The default
value is yes.
The available values are:
no Specifies to use the object-level poll-interval setting.
yes Specifies to use the global HTTP poll-interval setting.
sampling-rate
Specifies the ratio of packets observed to the samples
generated. For example, a sampling rate of 2000 specifies
that 1 sample will be randomly generated for every 2000
packets observed. The default value is 0. To enable this
setting, you must also set the sampling-rate-global setting
to no.
sampling-rate-global
Specifies whether the global HTTP sampling-rate setting,
which is available under sys sflow global-settings module,
overrides the object-level sampling-rate setting. The default
value is yes.
The available values are:
no Specifies to use the object-level sampling-rate setting.
yes Specifies to use the global HTTP sampling-rate setting.
via-host-name
Specifies the hostname that will be used in the Via: HTTP header.
See via-request and via-response for how the Via: header will be
handled. If either via-request or via-response are set to append,
then this is required.
via-request
Specifies how you want to process Via: HTTP header in requests
sent to OWS. The default setting is remove. The available values
are:
append
The value from via-host-name is appended to the Via: HTTP
header.
preserve
Via: HTTP header is preserved without changes.
remove
Via: HTTP header is removed from the request.
via-response
Specifies how you want to process Via: HTTP header in responses
sent to clients. The default setting is remove. The available
values are the same as in via-request.
server-agent-name
Specifies the string used as the server name in traffic generated
by LTM. The default value is BigIP.
alternative-xff-names
Specifies alternative XFF headers instead of the default
X-forwarded-for header.
hsts Specifies HSTS settings for the HTTP profile:
mode Specifies if the HSTS settings are enabled or disabled. The
default is disabled.
maximum-age
Specifies the maximum age to be sent in the HSTS header. The
default is 16070400.
include-subdomains
Specifies if the includeSubdomains directive is sent in the
HSTS header. The default is enabled.
preload
Specifies if the preload directive is sent in the HSTS
header. The default is disabled.
SEE ALSO
create, delete, edit, glob, list, ltm profile fasthttp, ltm virtual,
modify, mv, regex, reset-stats, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2016. All rights reserved.
BIG-IP 2018-03-27 ltm profile http(1)