ltm profile http
ltm profile http(1) BIG-IP TMSH Manual ltm profile http(1)
NAME
http - Configures an HTTP profile.
MODULE
ltm profile
SYNTAX
Configure the http component within the ltm profile module using the syntax shown in the following sections.
CREATE/MODIFY
create http [name]
modify http [name]
options:
accept-xff [disabled | enabled]
app-service [[string] | none]
basic-auth-realm [ ["string"] | none]
defaults-from [ [name] | none]
description [string]
encrypt-cookie-secret [none | [passphrase] ]
encrypt-cookies
[add | delete | replace-all-with] {
[cookie] ...
}
encrypt-cookies none
enforcement {
options:
rfc-compliance [disabled | enabled]
excess-client-headers [disabled | enabled]
excess-server-headers [disabled | enabled]
max-header-size [integer]
max-header-count [integer]
max-requests [integer]
oversize-client-headers [disabled | enabled]
oversize-server-headers [disabled | enabled]
pipeline [allow | pass-through | reject]
truncated-redirects [disabled | enabled]
unknown-method [allow | pass-through | reject]
known-methods
[add | delete | replace-all-with] {
[HTTP method] ...
}
}
fallback-host [ [hostname] | none]
fallback-status-codes
[add | delete | replace-all-with] {
[fallback status code]...
}
fallback-status-codes none
header-erase [none | [string] ]
header-insert [none | [string] ]
insert-xforwarded-for [disabled | enabled]
lws-separator [none | string ]
lws-width [integer]
oneconnect-transformations [disabled | enabled]
oneconnect-status-reuse ["string"]
proxy-type [reverse | explicit | transparent]
redirect-rewrite [all | matching | nodes | none]
request-chunking [rechunk | sustain ]
response-chunking [rechunk | sustain | unchunk]
response-headers-permitted
[add | delete | replace-all-with] {
[response header] ...
}
response-headers-permitted none
server-agent-name [string]
explicit-proxy {
options:
enabled [no | yes]
dns-resolver [dns-resolver]
ipv6 [no | yes]
tunnel-name [tunnel]
route-domain [route-domain]
default-connect-handling [deny | allow]
tunnel-on-any-request [no | yes]
connect-error-message ["string"]
dns-error-message ["string"]
bad-request-message ["string"]
bad-response-message ["string"]
}
sflow {
options:
poll-interval [integer]
poll-interval-global [no | yes]
sampling-rate [integer]
sampling-rate-global [no | yes]
}
via-host-name [string]
via-request [append | preserve | remove]
via-response [append | preserve | remove]
xff-alternative-names
[add | delete | replace-all-with] {
[xff alternative name] ...
}
hsts {
options:
mode [enabled | disabled]
maximum-age [integer]
include-subdomains [enabled | disabled]
preload [enabled | disabled]
}
edit http [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
mv http [ [[source-name] [destination-name]] | [[name] to-folder [folder-name]] | [[name...name] to-folder [folder-name]] ]
options:
to-folder
reset-stats http
reset-stats http [ [ [name] | [glob] | [regex] ] ... ]
DISPLAY
list http
list http [ [ [name] | [glob] | [regex] ] ... ]
show running-config http
show running-config http [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
show http
show http [ [ [name] | [glob] | [regex] ] ... ]
options:
(default | exa | gig | kil | meg | peta | raw | tera | yotta | zetta)
field-fmt
global
DELETE
delete http [name]
DESCRIPTION
You can use the http component to create, modify, display, or delete an HTTP profile.
The BIG-IP(r) system installation includes the following default HTTP-type profiles:
http
The default HTTP profile contains values for properties related to managing HTTP traffic.
You can create a new HTTP-type profile using an existing profile as a parent profile, and then you can change
the values of the properties to suit your needs.
EXAMPLES
create http my_http_profile defaults-from http
Creates a custom HTTP profile named my_http_profile that inherits its settings from the system default HTTP
profile.
mv http /Common/my_http_profile to-folder /Common/my_folder
Moves a custom HTTP profile named my_http_profile to a folder named my_folder, where my_folder has already
been created and exists within /Common.
Please refer to the mv manual page for examples on how to use the mv command.
OPTIONS
accept-xff
Enables or disables trusting the client IP address, and statistics from the client IP address, based on
the request's XFF (X-forwarded-for) headers, if they exist.
app-service
Specifies the name of the application service to which the profile belongs. The default value is none.
Note: If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete the profile. Only the application service can modify or delete the profile.
basic-auth-realm
Specifies a quoted string for the basic authentication realm. The system sends this string to a client
whenever authorization fails. The default value is none.
defaults-from
Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings
and values from the parent profile specified. The default value is http.
description
User defined description.
encrypt-cookie-secret
Specifies a passphrase for the cookie encryption. The default value is none.
encrypt-cookies
Specifies to encrypt specific cookies that the BIG-IP system sends to a client system. The default value
is none.
enforcement
Specifies protocol enforcement options for the HTTP profile:
rfc-compliance
Specifies the behavior when non-rfc compliant traffic is seen. The default is disabled which
ignores rfc non-compliance.
excess-client-headers
Specifies the pass-through behavior when max-header-count is exceeded by the client. The default is
disabled which rejects the connection.
excess-server-headers
Specifies the pass-through behavior when max-header-count is exceeded by the server. The default is
disabled which rejects the connection.
unknown-method
Specifies the behavior when an unknown method is seen. The default is allow which allows all
methods, (known or unknown).
known-methods
Specifies the HTTP methods known by the HTTP filter. Combine with the unknown-method field to
control behavior when unusual methods are parsed.
max-header-size
Specifies the maximum header size. The default value is 32768.
max-header-count
Specifies the maximum number of headers in HTTP request or response that will be handled. If client
or server sends request or response with the number of headers greater then specified, the
connection will be dropped. The default value is 64.
max-requests
Specifies the number of requests that the system accepts on a per-connection basis. The default
value is 0 (zero), which means the system does not limit the number of requests per connection.
oversize-client-headers
Specifies the pass-through behavior when max-header-size is exceeded by the client. The default is
disabled which rejects the connection.
oversize-server-headers
Specifies the pass-through behavior when max-header-size is exceeded by the server. The default is
disabled which rejects the connection.
pipeline
Enables or disables HTTP/1.1 pipelining. If pass-through is chosen, then the HTTP filter will switch
to pass through mode (and be disabled) if pipelined data is seen. The default value is allow, which
means that clients can make requests even when prior requests have not received a response. In order
for this to succeed, however, destination servers must include support for pipelining.
to-folder
http profiles can be moved to any folder under /Common, but configuration dependencies may restrict
moving the profile out of /Common.
truncated-redirects
Specifies the pass-through behavior when a redirect lacking the trailing carriage-return and line
feed pair at the end of the headers is parsed. The default is disabled, which will silently drop the
invalid HTTP.
unknown-method
Specifies the behavior (allow, reject, or pass-through) when an unknown HTTP method is parsed. The
default is to allow unknown methods.
fallback-host
Specifies an HTTP fallback host. The default value is none.
With HTTP redirection, you can redirect HTTP traffic to another protocol identifier, host name, port
number, or URI path. For example, if all members of a targeted pool are unavailable (that is, the members
are disabled, marked as down, or have exceeded their connection limit), the system can redirect the HTTP
request to the fallback host, with the HTTP reply Status Code 302 Found.
fallback-status-codes
Specifies one or more three-digit status codes that can be returned by an HTTP server. The default value
is none.
glob Displays the items that match the glob expression. See help glob for a description of glob expression
syntax.
header-erase
Specifies the header string that you want to erase from an HTTP request. The default value is none.
header-insert
Specifies a quoted header string that you want to insert into an HTTP request. The default value is none.
The HTTP header being inserted can include a client IP address. Including a client IP address in an HTTP
header is useful when a connection goes through a secure network address translation (SNAT) and you need
to preserve the original client IP address. When you assign the configured HTTP profile to a virtual
server, the system then inserts the header specified by the profile into any HTTP request that the system
sends to a pool or pool member.
insert-xforwarded-for
Enables or disables insertion of an X-Forwarded-For header. The default value is disabled.
When using connection pooling, which allows clients to make use of other client requests' server
connections, you can insert the X-Forwarded-For header and specify a client IP address.
lws-separator
Specifies the linear white space separator that the system uses between HTTP headers when a header
exceeds the maximum width specified in the lws-width option. The valid value should be none, or, any
combination of cr(carriage return), lf(line feed), or sp(space). The default value is none.
lws-width
Specifies the maximum number of columns that a header that is inserted into an HTTP request can have. The
default value is 80.
name Specifies a unique name for the component. This option is required for the commands create, delete, and
modify.
oneconnect-transformations
Specifies whether the system performs HTTP header transformations for the purpose of keeping server-side
connections open. The default value is enabled. This feature requires configuration of a OneConnect(tm)
profile.
oneconnect-status-reuse
Specifies the 2xx and 4xx HTTP status codes that permit a server-side connection to be reused by
OneConnect. The default value is "200 206". This feature requires configuration of a OneConnect(tm)
profile.
partition
Displays the partition within which the component resides.
redirect-rewrite
Specifies which of the application HTTP redirects the system rewrites to HTTPS. The options are:
all Specifies to rewrite all application redirects to HTTPS.
matching
Specifies to rewrite to HTTPS only application redirects that match the original URI exactly.
nodes
If the URI contains a node IP address, instead of a host name, specifies that the system rewrites
the node IP address to the virtual server IP address.
none Specifies that the system does not rewrite to HTTPS any application HTTP redirects. This is the
default value.
Use this feature when an application is generating HTTP redirects that send the client to HTTP (a non-
secure channel) when you want the client to continue accessing the application using HTTPS (a secure
channel). This is a common occurrence when using client SSL processing on a BIG-IP system.
regex
Displays the items that match the regular expression. The regular expression must be preceded by an at
sign (@[regular expression]) to indicate that the identifier is a regular expression. See help regex for
a description of regular expression syntax.
request-chunking
Specifies how to handle chunked and unchunked requests. The default value is sustain. The options are
described under response-chunking.
response-chunking
Specifies how to handle chunked and unchunked responses. The default value is sustain. The options are:
unchunk
If the response is chunked, this option unchunks the response, processes the HTTP content, and
passes the response on as unchunked. The Keep-Alive value for the Connection header is not
supported, and therefore the system sets the value of the header to close.
If the response is unchunked, the LTM system processes the HTTP content and passes the response on
untouched.
rechunk
If the request or response is chunked, the system unchunks the request or response, processes the
HTTP content, re-adds the chunk trailer headers, and then passes on the request or response as
chunked. Any chunk extensions are lost.
If the request or response is unchunked, the system adds transfer encoding and chunking headers on
egress.
sustain
Preserve request or response chunking unless there is a command to modify the body. If the request
or response is chunked: unchunk the HTTP content, process the data, re-add chunking headers on
egress. Chunk extensions will be lost. When the response is chunked, it can be rechunked on egress
to the client.
response-headers-permitted
Specifies headers that the BIG-IP system allows in an HTTP response. The default value is none.
explicit-proxy
Specifies explicit settings for the HTTP profile:
enabled
Specifies whether the explicit proxy service is enabled or disabled. The default it is no.
dns-resolver
Specifies the dns-resolver object that will be used to resolve hostnames in proxy requests. The
default is dns-resolver.
ipv6 Specifies the relative order of IPv4 and IPv6 DNS resolutions for URIs. The default is no, which
will try a IPv4 lookup before a IPv6.
tunnel-name
Specifies the tunnel that will be used for outbound proxy requests. This enables other virtual
servers to receive connections initiated by the proxy service. The default is http-tunnel.
route-domain
Specifies the route-domain that will be used for outbound proxy requests. The default is 0.
default-connect-handling
Specifies the behavior of the proxy service for CONNECT requests. If set to deny, CONNECT requests
will only be honored if there is another virtual server listening for the requested outbound
connection. If set to allow outbound connections will be made regardless of other virtual servers.
The default is deny.
tunnel-on-any-request
Specifies that the tunnel will be used for non-CONNECT requests. If set to yes, virtual servers
listening on a tunnel will be able to receive any requests and default-connect-handling option
effect will be extended to all outbound proxy requests. The default is no.
host-names
Specifies the which host names are to be treated as local. Proxy requests made for those hosts will
be treated as regular HTTP requests and will be sent to the configured default pool.
connect-error-message
Specifies the error message that will be returned to the browser when a proxy request can't be
completed because of a failure to establish the outbound connection.
dns-error-message
Specifies the error message that will be returned to the browser when a proxy request can't be
completed because of a failure to resolve the hostname in the request.
bad-request-message
Specifies the error message that will be returned to the browser when a proxy request can't be
completed because the request was malformed.
bad-response-message
Specifies the error message that will be returned to the browser when a proxy request can't be
completed because the response was malformed.
sflow
Specifies sFlow settings for the HTTP profile:
poll-interval
Specifies the maximum interval in seconds between two pollings. The default value is 0. To enable
this setting, you must also set the poll-interval-global setting to no.
poll-interval-global
Specifies whether the global HTTP poll-interval setting, which is available under sys sflow global-
settings module, overrides the object-level poll-interval setting. The default value is yes.
The available values are:
no Specifies to use the object-level poll-interval setting.
yes Specifies to use the global HTTP poll-interval setting.
sampling-rate
Specifies the ratio of packets observed to the samples generated. For example, a sampling rate of
2000 specifies that 1 sample will be randomly generated for every 2000 packets observed. The default
value is 0. To enable this setting, you must also set the sampling-rate-global setting to no.
sampling-rate-global
Specifies whether the global HTTP sampling-rate setting, which is available under sys sflow global-
settings module, overrides the object-level sampling-rate setting. The default value is yes.
The available values are:
no Specifies to use the object-level sampling-rate setting.
yes Specifies to use the global HTTP sampling-rate setting.
via-host-name
Specifies the hostname that will be used in the Via: HTTP header. See via-request and via-response for
how the Via: header will be handled. If either via-request or via-response are set to append, then this
is required.
via-request
Specifies how you want to process Via: HTTP header in requests sent to OWS. The default setting is
remove. The available values are:
append
The value from via-host-name is appended to the Via: HTTP header.
preserve
Via: HTTP header is preserved without changes.
remove
Via: HTTP header is removed from the request.
via-response
Specifies how you want to process Via: HTTP header in responses sent to clients. The default setting is
remove. The available values are the same as in via-request.
server-agent-name
Specifies the string used as the server name in traffic generated by LTM. The default value is BigIP.
alternative-xff-names
Specifies alternative XFF headers instead of the default X-forwarded-for header.
hsts Specifies HSTS settings for the HTTP profile:
mode Specifies if the HSTS settings are enabled or disabled. The default is disabled.
maximum-age
Specifies the maximum age to be sent in the HSTS header. The default is 16070400.
include-subdomains
Specifies if the includeSubdomains directive is sent in the HSTS header. The default is enabled.
preload
Specifies if the preload directive is sent in the HSTS header. The default is disabled.
SEE ALSO
create, delete, edit, glob, list, ltm profile fasthttp, ltm virtual, modify, mv, regex, reset-stats, show,
tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2016. All rights reserved.
BIG-IP 2020-01-28 ltm profile http(1)