F5BigHttpSetting

The F5BigHttpSetting CR provides many options to fine-tune how Traffic Management Microkernel (TMM) handles Http connections. Once configured and installed, the F5BigHttpSetting CR can be referenced by one of the CNF CRs listed in the Additional CRs section below.

This document guides you through understanding, configuring, and installing a F5BigHttpSetting CR.

CR parameters

The following table describes the CR spec parameters:

Parameter	Description
basicAuthRealm	Specifies a quoted string for the basic authentication realm. The system sends this string to a client whenever authorization fails.
oneConnect	Specifies that the system performs HTTP header transformations for the purpose of keeping connections open when this parameter is checked/enabled. The default for this parameter is 'disabled'. Note: This setting is applicable only when an OneConnect pool is configured.
oneConnectStatusReuse	Specifies a quoted string for the status reuse for the one connect.
headerInsert	Specifies a quoted header string the user want to insert into an HTTP request. Value as 'None' can also be specified.
headerErase	Specifies the header string that you want to erase from an HTTP request. Value as 'None' can also be specified.
fallbackHost	Specifies an HTTP fallback host; HTTP redirection allows the user to redirect HTTP traffic to another protocol identifier such as host name, port number, or URI path.
fallbackStatusCodes	Specifies one or more three-digit status codes that can be returned by an HTTP server.
responseHeadersPermitted	Specifies headers that the BIG-IP system allows in an HTTP response.
encryptCookies	Encrypts specified cookies that the BIG-IP system sends to a client system.
encryptCookieSecret	Specifies a passphrase for the cookie encryption.
responseChunking	Specifies how to handle chunked and unchunked responses.
requestChunking	Specifies how to handle chunked and unchunked requests.
lwsMaxColumn	Specifies the maximum number of columns allowed for a header that is inserted into an HTTP request.
lwsSeparator	Specifies the linear white space separator that the system should use between HTTP headers when a header exceeds the maximum width specified by the lws width setting.
redirectRewrite	Specifies which of the application HTTP redirects the system rewrites to HTTPS.
maxHeaderSize	Specifies the maximum header size.
maxRequests	Specifies the number of requests that the system accepts on a per-condition basis.
maxHeaderCount	Specifies the maximum number of headers allowed in HTTP request/response.
pipelining	Specifies the pipelining in HTTP streams.
truncatedRedirects	Specifies what happens if a truncated redirect is seen from a server. If this parameter is enabled, the redirect will be forwarded to the client. Otherwise, the malformed HTTP will be silently ignored.
insertXforwardedFor	When using connection pooling, which allows clients to make use of other client requests and server-side connections. The user can insert the X-Forwarded-For header and specify a client IP address.
adaptiveParsing	Specifies parsing in an adaptive way of HTTP.
proxyType	Specifies the type of HTTP proxy.
passthroughOversizeClientHeaders	Specifies the behavior when too-large client headers are received. If enabled, will switch to Pass through mode instead of rejecting the connection.
passthroughExcessClientHeaders	Specifies the behavior when too many client headers are received. If enabled, will switch to Pass Through mode instead of rejecting the connection.
passthroughOversizeServerHeaders	Specifies the behavior when too-large server headers are received. If enabled, will switch to Pass Through mode instead of rejecting the connection.
passthroughExcessServerHeaders	Specifies the behavior when too many server headers are received. If enabled, will switch to `Pass Through mode instead of rejecting the connection.
passthroughPipeline	Enables or disables HTTP/1.1 pipelining. If Pass Through is selected, then the HTTP filter will switch to pass through mode and will be disabled if pipelined data is seen. The default value is Allow, which means that clients can make requests even when prior requests have not received a response. In order for this to succeed, however, destination servers must include support for pipelining.
passthroughUnknownMethod	Specifies whether to allow, reject or switch to Pass Through mode when an unknown HTTP method is parsed.
knownMethods	Specifies which HTTP methods count as being known. Removing RFC-defined methods from this list will cause the HTTP filter to not recognize them.
sendProxyViaHeaderInRequest	Specifies whether to append, remove, or preserve a Via header in an HTTP requests.
sendProxyViaHeaderInResponse	Specifies whether to append, remove, or preserve a Via header in an HTTP response.
sendProxyViaHeaderHostName	Specifies the hostname to include into Via header.
acceptXff	Enables or disables trusting the client IP address and statistics from the client IP address, based on the requests XFF (X-forwarded-for) headers, if they exist.
xffAlternativeNames	Specifies alternative XFF headers instead of the default X-forwarded-for header.
serverAgentName	Specifies the value of the Server header in responses that the BIG-IP itself generates.
fwdpDnsResolver	Specifies the dns-resolver object that will be used to resolve hostnames in proxy requests.
fwdpRouteDomain	Specifies the route-domain that will be used for outbound proxy requests.
fwdpTunnelName	Specifies the tunnel that will be used for outbound proxy requests. This parameter enables other virtual servers to receive connections initiated by the proxy service.
fwdpConnectAllowed	Specifies the behavior of the proxy service for CONNECT requests.
fwdpIpv6	Specifies that URIs will attempted to be resolved as IPv6 addresses before trying as IPv4.
fwdpHostnames	Specifies which host names are to be treated as local. Proxy requests made for those hosts will be treated as regular HTTP requests and will be sent to the configured default pool.
hstsMode	Specifies whether to include the HSTS response header.
hstsMaximumAge	Specifies the maximum age to assume the connection should remain secure.
hstsIncludeSubdomains	Specifies whether to include the includeSubdomains directive in the HSTS header.
hstsPreload	Specifies whether to include the preload directive in the HSTS header.
fwdpConnectErrorMsg	Specifies the error message that will be returned to the browser when a proxy request cannot be completed because of a failure to establish the outbound connection.
fwdpDnsErrorMsg	Specifies the error message that will be returned to the browser when a proxy request cannot be completed because of a failure to resolve the hostname in the request.
fwdpBadRequestErrorMsg	Specifies the error message that will be returned to the browser when a proxy request cannot be completed because the request was malformed.
fwdpBadResponseErrorMsg	Specifies the error message that will be returned to the browser when a proxy request cannot be completed because the response was malformed.

CR Example

Following is an example F5BigHttpSetting CR:

apiVersion: k8s.f5net.com/v1
kind: F5BigHttpSetting
metadata:
  name: "cnf-http-profile"
  namespace: "cnf-gateway"
spec:
  lwsMaxColumn: 80
  maxHeaderSize: 32768
  hstsMaximumAge: 16070400

CR shortName

CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigHttpSetting CR shortName is httpset.

View CR instance:

oc get httpset -n <namespace>

View CR configuration:

oc get httpset -n <namespace> -o yaml

Default profile

After installing the BIG-IP Controller, a default F5BigHttpSetting CR is created in each new namespace. In this example, a default F5BigHttpSetting CR exists in the cnf-gateway namespace:

oc get f5-big-http-settings -n cnf-gateway

NAME         
sys-default-http 

Requirements

Ensure you have:

• Installed the BIG-IP Controller
• A Linux based workstation

Installation

Following are the steps to install the F5BigHttpSetting CR:

1. The example F5BigHttpSetting CR modifies the lwsMaxColumn, maxHeaderSize and hstsMaximumAge parameters. Copy and paste the following example to a YAML file:

   apiVersion: k8s.f5net.com/v1
   kind: F5BigHttpSetting
   metadata:
     name: "cnf-http-profile"
     namespace: "cnf-gateway"
   spec:
     lwsMaxColumn: 80
     maxHeaderSize: 32768
     hstsMaximumAge: 16070400
   

2. Install the F5BigHttpSetting CR:

   oc apply -f cnf-http-cr.yaml
   

3. Following is example F5BigDnsApp CR with HTTP profile.

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigDnsApp
   metadata:
     name: "cnf-dohapp"
     namespace: "cnf-gateway"
   spec:
     ipProtocol: "http2"
     dohProtocol: "udp"
   destination:
     ipv6Address: "2002::192:168:100:202"
     port: 443
   dns:
     dnsCache: "cnf-dnscache"
     dns64Mode: "secondary"
     dns64Prefix: "64:ff9b::"
     dns64AdditionalSectionRewrite: "v4-only"
   httpSettings: "cnf-http-profile"
   pool:
     members:
       - address: "2002::10:10:10:100"
       - address: "2002::10:10:10:101"
   

4. Install F5BigDnsApp CR, run the following command:

   oc apply -f f5-cnf-dohapp.yaml
   

   In this example, the BIG-IP Controller logs indicate the F5BigDnsApp CR was added/updated:

   I0202 12:00:00:12350    1 event.go:282] Event(v1.ObjectReference{Kind:"F5DnsApp", DnsApp cnf-gateway/cnf-dohapp was added/updated
   

5. The TMM Proxy Pod can now process application traffic using the F5BigHttpSetting CR.

Additional CRs

The F5BigHttpSetting CR can be referenced by the F5BigDnsApp (High-performance DNS resolution, caching, and DNS64 translations) CR.

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.