HTTP_Profile (object)

HTTP profile with configurable options

Properties (* = required):

name type(s) default allowed values description
/*/        
allowedResponseHeaders array     By default AS3 passes HTTP headers in responses from pool members to clients unaltered. You may list names of allowed response headers here and AS3 removes any you do not list from responses.
class* string   “HTTP_Profile”  
cookiePassphrase object     Used to create secret key for cookie encryption (when missing, AS3 uses a system-generated key),A value: (a) in a cryptogram in this object; (b) in a cryptogram elsewhere in this declaration; or (c) available from a URL
encryptCookies array     List cookies to encrypt en-route to the client and decrypt en-route to a pool member
fallbackRedirect string     Domain name (or IP address) of service (if any) to which AS3 should redirect a request when no pool member is responsive or selected pool member returns a fallbackStatusCode
fallbackStatusCodes array     When a pool member responds to a request with one of these HTTP status codes (for example, 500), redirect the client to the fallbackRedirect
hstsIncludeSubdomains boolean true true, false If true then HSTS headers (see hstsInsert) will tell clients to apply HSTS settings to the hostnames of this service and all their possible subdomains. Warning: an incorrect value here can make multiple websites unreachable, not just this service
hstsInsert boolean false true, false If true, insert HSTS (HTTP Strict Transport Security) headers into responses sent to clients (default false). Warning: misconfiguration of HSTS can make a website unreachable
hstsPeriod integer 7862400 0 - 4294967295 If hstsInsert is true, this value tells each client how long (in seconds; default 7862400 equals 91 days) to wait before refreshing HSTS settings for this service. Warning: once a client receives erroneous HSTS settings it will ignore any attempt to correct them until this period has expired
hstsPreload boolean false true, false If true, include the domain for the web site associated with this HTTP profile in the browser’s preload list. This forces the client to send packets over SSL/TLS.
insertHeader object     You may insert one header into each request before AS3 sends it to a pool member. The header value may be a simple string or the result of an iRules TCL expression (for example, [IP::client_addr]). This is the most efficient way to insert a single header; to insert multiple headers use an iRule or an Endpoint policy
knownMethods array “CONNECT”   List of HTTP request methods AS3 should recognize as normal. Any method not in this list will provoke the ‘unknownMethodAction’ action
label string   “^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$” Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML
maxRequests integer 0 0 - 2147483647 When AS3 has processed more than this number of requests through a connection, the system closes it. Default 0 means permit unlimited requests
multiplexTransformations boolean true true, false If true (default), AS3 adjusts request headers to work properly when the virtual server uses a Multiplex profile
otherXFF array     Names of request headers to treat as equivalent to X-Forwarded-For (see trustXFF)
pipelineAction string “allow” “allow”, “reject”, “pass-through” Default ‘allow’ means clients may pipeline HTTP/1.1 requests to pool members which support pipelining. Otherwise, ‘reject’ prevents pipelining, and ‘pass-through’ causes the connection to switch to pass-through mode when the system detects pipelining
proxyConnectEnabled boolean false true, false Determines if a proxy connection profile will be created
proxyType string “reverse” “reverse”, “transparent”, “explicit” Default value ‘reverse’ is usually appropriate. You may use ‘transparent’ when virtual server will handle a mix of HTTP and non-HTTP traffic. You may use ‘explicit’ when clients will ask ADC to proxy connections to arbitrary remote services
remark string   “^[^x00-x1fx22x5cx7f]*$” Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks
requestChunking string “preserve” “selective”, “preserve”, “rechunk” Controls handling of HTTP payload chunking in requests from clients (default is ‘preserve’). Note: ‘selective’ and ‘preserve’ will be translated to ‘sustain’ when TMOS version is 15.0 or newer
responseChunking string “selective” “selective”, “preserve”, “unchunk”, “rechunk” Controls handling of HTTP payload chunking in responses from pool members (default ‘selective’ adapts to most situations). Note: ‘selective’ and ‘preserve’ will be translated to ‘sustain’ when TMOS version is 15.0 or newer
rewriteRedirects string “none” “none”, “all”, “matching”, “addresses” In selected Location-header values (default none) of redirect responses from pool members, change protocol HTTP to HTTPS before passing redirects to clients
serverHeaderValue string “BigIP”   Server header value to place in responses generated by the ADC itself (not obtained from a pool member)
trustXFF boolean false true, false If true, WAF (ASM) and AVR may trust X-Forwarded-For headers found in incoming requests and report statistics using client IP addresses appearing in them (default false). Use this feature only when you control upstream gateway(s)
unknownMethodAction string “allow” “allow”, “reject”, “pass-through” Default ‘allow’ means clients may make HTTP requests using unknown methods. Otherwise, ‘reject’ means to discard any unknown-method request and reject the client connection, and ‘pass-through’ causes the connection to switch to pass-through mode upon the first unknown-method request
viaHost string     Hostname to place in Via header when viaRequest or viaResponse is ‘append’
viaRequest string “remove” “append”, “preserve”, “remove” Controls treatment of Via: headers in requests from clients. When set to ‘append’ AS3 requires viaHost
viaResponse string “remove” “append”, “preserve”, “remove” Controls treatment of Via: headers in responses from pool members. When set to ‘append’ AS3 requires viaHost
webSocketMasking string “unmask” “preserve”, “remask”, “selective”, “unmask” Web-socket stream data is always masked from client to ADC and from ADC to server. Default value ‘unmask’ makes stream data passing through visible to ADC security policy and/or iRules attached to the service. ‘selective’ unmasks stream data only when a security policy is attached. ‘preserve’ passes data through masked (unreadable by security policy). ‘remask’ causes different masking keys to be used on client and server sides
webSocketsEnabled boolean false true, false When true, allow clients to initiate Web Socket connections (default false)
whiteOutHeader string   “^[^x00-x20x22:x5cx7f-xff]+$” You may name one request header you want whited-out of each request before AS3 sends it to a pool member. To remove more than a single named header, use an iRule or an Endpoint policy. (Whiting-out a header leaves its name but replaces its value in the request with space characters (ASCII 0x20) to avoid changing the length of the headers.)
xForwardedFor boolean true true, false If true, insert an X-Forwarded-For header carrying the client IP address into each HTTP request sent to a pool member (default false)

HTTP_Profile.cookiePassphrase (object)

Used to create secret key for cookie encryption (when missing, AS3 uses a system-generated key) A value: (a) in a cryptogram in this object; (b) in a cryptogram elsewhere in this declaration; or (c) available from a URL

Properties (* = required):

name type(s) default allowed values description
/*/        
allowReuse boolean   true, false If true, other declaration objects may reuse this value
reuseFrom string     AS3 pointer to another JWE cryptogram in this declaration to copy
url       URL from which secret should be fetched,Describes the URL to remote resource and optional parameters

HTTP_Profile.insertHeader (object)

You may insert one header into each request before AS3 sends it to a pool member. The header value may be a simple string or the result of an iRules TCL expression (for example, [IP::client_addr]). This is the most efficient way to insert a single header; to insert multiple headers use an iRule or an Endpoint policy

Properties (* = required):

name type(s) default allowed values description
name string   “^[^x00-x20x22:x5cx7f-xff]+$” Name of the HTTP header to insert
value string   “^[^x00-x1fx7f-xff]*$” May contain iRules TCL expression

HTTP_Profile_Explicit (object)

Extra HTTP profile configurable options when proxyType is ‘explicit’

Properties (* = required):

name type(s) default allowed values description
/*/        
badRequestMessage string “<html><head><title>Bad Request</title></head><body><h2>Invalid proxy request</h2></body></html>”   Message returned to client when proxy request is erroneous. May include iRules TCL expressions
badResponseMessage string “<html><head><title>Bad Response</title></head><body><h2>Proxy request provoked invalid response</h2></body></html>”   Message returned to client when response to proxy request is erroneous. May include iRules TCL expressions
connectErrorMessage string “<html><head><title>Connection Error</title></head><body><h2>Unable to connect to host in proxy request</h2></body></html>”   Message returned to client when the system cannot establish a proxy connection. May include iRules TCL expressions
defaultConnectAction string “deny” “deny”, “allow” By default (value ‘deny’) the system refuses CONNECT requests from clients except when there is a virtual server listening to the tunnelName tunnel to accept and process them (typically to authorize and/or intercept outbound TLS connections). Value ‘allow’ will let clients CONNECT to arbitrary remote services
dnsErrorMessage string “<html><head><title>DNS Resolution Error</title></head><body><h2>Cannot resolve hostname in proxy request</h2></body></html>”   Message returned to the client when the system cannot resolve the hostname in the request. May include iRules TCL expressions
doNotProxyHosts array “none”   When a client makes a (proxy-type) request to some host on this list, that request will simply be load-balanced to a pool member (without DNS resolution). This is ineffective for HTTPS requests
ipv6 boolean false true, false Specifies the relative order of IPv4 and IPv6 DNS resolutions for URIs. If false (default), then the system performs IPv4 lookup before IPv6.
maxHeaderCount integer 64 1 - 1024 When the number of headers in an incoming HTTP request exceeds this value, discard the request and reset the client connection
maxHeaderSize integer 32768 9 - 262144 When the total size in octets of the headers of an incoming HTTP request exceeds this value, discard the request and reset the client connection
resolver object     AS3 pointer to DNS resolver used to resolve hostnames in client requests
routeDomain integer 0 0 - 65535 Proxy requests will leave the ADC from a Self IP in this route domain (default 0)
truncatedRedirects boolean false true, false If false (default) elide malformed redirects from pool members, otherwise pass them to client
tunnelName string “http-tunnel”   Name of tunnel used for outbound CONNECT requests (default ‘http-tunnel’)

HTTP_Profile_Explicit.resolver (object)

AS3 pointer to DNS resolver used to resolve hostnames in client requests

Properties (* = required):

name type(s) default allowed values description
bigip* string   “f5bigip” formatted string Pathname of existing BIG-IP net DNS resolver

HTTP_Profile_Reverse (object)

Extra HTTP profile configurable options when proxyType is ‘reverse’

Properties (* = required):

name type(s) default allowed values description
/*/        
maxHeaderCount integer 64 1 - 1024 When the number of headers in an incoming HTTP request exceeds this value, discard the request and reset the client connection
maxHeaderSize integer 32768 9 - 262144 When the total size in octets of the headers of an incoming HTTP request exceeds this value, discard the request and reset the client connection
truncatedRedirects boolean false true, false If false (default) elide malformed redirects from pool members, otherwise pass them to client

HTTP_Profile_Transparent (object)

Extra HTTP profile configurable options when proxyType is ‘transparent’

Properties (* = required):

name type(s) default allowed values description
/*/        
excessClientHeaders string “pass-through” “pass-through”, “reject” When a client request violates maxHeaderCount, either switch to pass-through mode (default) or reject the connection
excessServerHeaders string “pass-through” “pass-through”, “reject” When a pool member response violates maxHeaderCount, either switch to pass-through mode (default) or reject the connection
maxHeaderCount integer 32 1 - 1024 When the number of headers in a request or response exceeds this value (default 32), take the excessX…Headers action
maxHeaderSize integer 16384 9 - 262144 When the total size in octets of the headers of request or response exceeds this value (default 16384), take the oversizeX…Headers action
oversizeClientHeaders string “pass-through” “pass-through”, “reject” When a client request violates maxHeaderSize, either switch to pass-through mode (default) or reject the connection
oversizeServerHeaders string “pass-through” “pass-through”, “reject” When a pool member response violates maxHeaderSize, either switch to pass-through mode (default) or reject the connection
truncatedRedirects boolean true true, false If true (default) pass malformed redirects to client