HTTP profile (object)¶
HTTP profile with configurable options
Properties (* = required):
| name | type(s) | default | allowed values | description |
|---|---|---|---|---|
| /*/ | ||||
| allowBlankSpaceAfterHeaderName | boolean | false | true, false | Specifies whether to allow blank space in an HTTP header between the header name and the separator colon in an HTTP request or response. Requires TMOS version 16.1 or newer. |
| allowedResponseHeaders | array | By default BIG-IP AS3 passes HTTP headers in responses from pool members to clients unaltered. You may list names of allowed response headers here and BIG-IP AS3 removes any you do not list from responses. | ||
| class* | string | “HTTP_Profile” | ||
| cookiePassphrase | object | Used to create secret key for cookie encryption (when missing, BIG-IP AS3 uses a system-generated key),A passphrase (passphrase property),A value: (a) in a cryptogram in this object; (b) in a cryptogram elsewhere in this declaration; or (c) available from a URL | ||
| encryptCookies | array | List cookies to encrypt en-route to the client and decrypt en-route to a pool member | ||
| enforceRFCCompliance | boolean | false | true, false | BIG-IP LTM performs basic RFC compliance checks as described in the latest RFC for the HTTP protocol. If a client request fails these checks, then the connection is reset. Requires TMOS version 15.0 or newer. |
| fallbackRedirect | string | Domain name (or IP address) of service (if any) to which BIG-IP AS3 should redirect a request when no pool member is responsive or selected pool member returns a fallbackStatusCode | ||
| fallbackStatusCodes | array | When a pool member responds to a request with one of these HTTP status codes (for example, 500), redirect the client to the fallbackRedirect | ||
| hstsIncludeSubdomains | boolean | true | true, false | If true then HSTS headers (see hstsInsert) will tell clients to apply HSTS settings to the hostnames of this service and all their possible subdomains. Warning: an incorrect value here can make multiple websites unreachable, not just this service |
| hstsInsert | boolean | false | true, false | If true, insert HSTS (HTTP Strict Transport Security) headers into responses sent to clients (default false). Warning: misconfiguration of HSTS can make a website unreachable |
| hstsPeriod | integer | 7862400 | 0 - 4294967295 | If hstsInsert is true, this value tells each client how long (in seconds; default 7862400 equals 91 days) to wait before refreshing HSTS settings for this service. Warning: once a client receives erroneous HSTS settings it will ignore any attempt to correct them until this period has expired |
| hstsPreload | boolean | false | true, false | If true, include the domain for the web site associated with this HTTP profile in the browser’s preload list. This forces the client to send packets over SSL/TLS. |
| insertHeader | object | You may insert one header into each request before BIG-IP AS3 sends it to a pool member. The header value may be a simple string or the result of an iRules TCL expression (for example, [IP::client_addr]). This is the most efficient way to insert a single header; to insert multiple headers use an iRule or an Endpoint policy | ||
| knownMethods | array | “CONNECT” | List of HTTP request methods BIG-IP AS3 should recognize as normal. Any method not in this list will provoke the ‘unknownMethodAction’ action | |
| label | string | “^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$” | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| maxRequests | integer | 0 | 0 - 2147483647 | When BIG-IP AS3 has processed more than this number of requests through a connection, the system closes it. Default 0 means permit unlimited requests |
| multiplexTransformations | boolean | true | true, false | If true (default), BIG-IP AS3 adjusts request headers to work properly when the virtual server uses a Multiplex profile |
| otherXFF | array | Names of request headers to treat as equivalent to X-Forwarded-For (see trustXFF) | ||
| pipelineAction | string | “allow” | “allow”, “reject”, “pass-through” | Default ‘allow’ means clients may pipeline HTTP/1.1 requests to pool members which support pipelining. Otherwise, ‘reject’ prevents pipelining, and ‘pass-through’ causes the connection to switch to pass-through mode when the system detects pipelining |
| profileWebSocket | object | Deprecated. Specifies the WebSocket profile that will be used on Services alongside this HTTP profile. When the ‘profileWebSocket’ property is used on a Service, it will supersede this property.,Reference to a WebSocket Profile | ||
| proxyConnectEnabled | boolean | false | true, false | Determines if a proxy connection profile will be created |
| proxyType | string | “reverse” | “reverse”, “transparent”, “explicit” | Default value ‘reverse’ is usually appropriate. You may use ‘transparent’ when virtual server will handle a mix of HTTP and non-HTTP traffic. You may use ‘explicit’ when clients will ask ADC to proxy connections to arbitrary remote services |
| remark | string | “^[^x00-x1fx22x5cx7f]*$” | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| requestChunking | string | “preserve” | “selective”, “preserve”, “rechunk”, “sustain” | Controls handling of HTTP payload chunking in requests from clients (default is ‘preserve’). Note: ‘selective’ and ‘preserve’ will be translated to ‘sustain’ when TMOS version is 15.0 or newer and ‘sustain’ will be translated to ‘preserve’ on older TMOS versions. |
| responseChunking | string | “selective” | “selective”, “preserve”, “unchunk”, “rechunk”, “sustain” | Controls handling of HTTP payload chunking in responses from pool members (default ‘selective’ adapts to most situations). Note: ‘selective’ and ‘preserve’ will be translated to ‘sustain’ when TMOS version is 15.0 or newer and ‘sustain’ will be translated to ‘selective’ on older TMOS versions. |
| rewriteRedirects | string | “none” | “none”, “all”, “matching”, “addresses” | In selected Location-header values (default none) of redirect responses from pool members, change protocol HTTP to HTTPS before passing redirects to clients |
| serverHeaderValue | string | “BigIP” | Server header value to place in responses generated by the ADC itself (not obtained from a pool member) | |
| trustXFF | boolean | false | true, false | If true, WAF (ASM) and AVR may trust X-Forwarded-For headers found in incoming requests and report statistics using client IP addresses appearing in them (default false). Use this feature only when you control upstream gateway(s) |
| unknownMethodAction | string | “allow” | “allow”, “reject”, “pass-through” | Default ‘allow’ means clients may make HTTP requests using unknown methods. Otherwise, ‘reject’ means to discard any unknown-method request and reject the client connection, and ‘pass-through’ causes the connection to switch to pass-through mode upon the first unknown-method request |
| viaHost | string | Hostname to place in Via header when viaRequest or viaResponse is ‘append’ | ||
| viaRequest | string | “remove” | “append”, “preserve”, “remove” | Controls treatment of Via: headers in requests from clients. When set to ‘append’ BIG-IP AS3 requires viaHost |
| viaResponse | string | “remove” | “append”, “preserve”, “remove” | Controls treatment of Via: headers in responses from pool members. When set to ‘append’ BIG-IP AS3 requires viaHost |
| webSocketMasking | string | “unmask” | “preserve”, “remask”, “selective”, “unmask” | Deprecated. WebSocket stream data is always masked from client to ADC and from ADC to server. Default value ‘unmask’ makes stream data passing through visible to ADC security policy and/or iRules attached to the service. ‘selective’ unmasks stream data only when a security policy is attached. ‘preserve’ passes data through masked (unreadable by security policy). ‘remask’ causes different masking keys to be used on client and server sides. When specified the property ‘profileWebSocket’ supersedes this property. |
| webSocketsEnabled | boolean | false | true, false | Deprecated. When true, allow clients to initiate WebSocket connections (default false). When specified the property ‘profileWebSocket’ supersedes this property. |
| whiteOutHeader | string | “^[^x00-x20x22:x5cx7f-xff]+$” | You may name one request header you want whited-out of each request before BIG-IP AS3 sends it to a pool member. To remove more than a single named header, use an iRule or an Endpoint policy. (Whiting-out a header leaves its name but replaces its value in the request with space characters (ASCII 0x20) to avoid changing the length of the headers.) | |
| xForwardedFor | boolean | true | true, false | If true, insert an X-Forwarded-For header carrying the client IP address into each HTTP request sent to a pool member (default true) |
HTTP profile.cookiePassphrase (object)¶
Used to create secret key for cookie encryption (when missing, BIG-IP AS3 uses a system-generated key) A passphrase (passphrase property) A value: (a) in a cryptogram in this object; (b) in a cryptogram elsewhere in this declaration; or (c) available from a URL
Properties (* = required):
| name | type(s) | default | allowed values | description |
|---|---|---|---|---|
| /*/ | ||||
| allowReuse | boolean | false | true, false | If true, other declaration objects may reuse this value |
HTTP profile.insertHeader (object)¶
You may insert one header into each request before BIG-IP AS3 sends it to a pool member. The header value may be a simple string or the result of an iRules TCL expression (for example, [IP::client_addr]). This is the most efficient way to insert a single header; to insert multiple headers use an iRule or an Endpoint policy
Properties (* = required):
| name | type(s) | default | allowed values | description |
|---|---|---|---|---|
| name | string | “^[^x00-x20x22:x5cx7f-xff]+$” | Name of the HTTP header to insert | |
| value | string | “^[^x00-x1fx7f-xff]*$” | Value of the HTTP header to insert |
HTTP profile.profileWebSocket (object)¶
Deprecated. Specifies the WebSocket profile that will be used on Services alongside this HTTP profile. When the ‘profileWebSocket’ property is used on a Service, it will supersede this property. Reference to a WebSocket Profile
Properties (* = required):
| name | type(s) | default | allowed values | description |
|---|---|---|---|---|
| bigip | string | “f5bigip” formatted string | Pathname of existing BIG-IP WebSocket Profile | |
| use | string | AS3 pointer to WebSocket Profile declaration |
HTTP_Profile_Explicit (object)¶
Extra HTTP profile configurable options when proxyType is ‘explicit’
Properties (* = required):
| name | type(s) | default | allowed values | description |
|---|---|---|---|---|
| /*/ | ||||
| badRequestMessage | string | “<html><head><title>Bad Request</title></head><body><h2>Invalid proxy request</h2></body></html>” | Message returned to client when proxy request is erroneous. May include iRules TCL expressions | |
| badResponseMessage | string | “<html><head><title>Bad Response</title></head><body><h2>Proxy request provoked invalid response</h2></body></html>” | Message returned to client when response to proxy request is erroneous. May include iRules TCL expressions | |
| connectErrorMessage | string | “<html><head><title>Connection Error</title></head><body><h2>Unable to connect to host in proxy request</h2></body></html>” | Message returned to client when the system cannot establish a proxy connection. May include iRules TCL expressions | |
| defaultConnectAction | string | “deny” | “deny”, “allow” | By default (value ‘deny’) the system refuses CONNECT requests from clients except when there is a virtual server listening to the tunnelName tunnel to accept and process them (typically to authorize and/or intercept outbound TLS connections). Value ‘allow’ will let clients CONNECT to arbitrary remote services |
| dnsErrorMessage | string | “<html><head><title>DNS Resolution Error</title></head><body><h2>Cannot resolve hostname in proxy request</h2></body></html>” | Message returned to the client when the system cannot resolve the hostname in the request. May include iRules TCL expressions | |
| doNotProxyHosts | array | “none” | When a client makes a (proxy-type) request to some host on this list, that request will simply be load-balanced to a pool member (without DNS resolution). This is ineffective for HTTPS requests | |
| ipv6 | boolean | false | true, false | Specifies the relative order of IPv4 and IPv6 DNS resolutions for URIs. If false (default), then the system performs IPv4 lookup before IPv6. |
| maxHeaderCount | integer | 64 | 1 - 1024 | When the number of headers in an incoming HTTP request exceeds this value, discard the request and reset the client connection |
| maxHeaderSize | integer | 32768 | 9 - 262144 | When the total size in octets of the headers of an incoming HTTP request exceeds this value, discard the request and reset the client connection |
| resolver | object | BIG-IP AS3 pointer to DNS resolver used to resolve hostnames in client requests | ||
| routeDomain | 0 | Proxy requests will leave the ADC from a Self IP in this route domain (default 0) | ||
| truncatedRedirects | boolean | false | true, false | If false (default) elide malformed redirects from pool members, otherwise pass them to client |
| tunnelName | string | “http-tunnel” | Name of tunnel used for outbound CONNECT requests (default ‘http-tunnel’) |
HTTP_Profile_Explicit.resolver (object)¶
BIG-IP AS3 pointer to DNS resolver used to resolve hostnames in client requests
Properties (* = required):
| name | type(s) | default | allowed values | description |
|---|---|---|---|---|
| bigip* | string | “f5bigip” formatted string | Pathname of existing BIG-IP net DNS resolver |
HTTP_Profile_Reverse (object)¶
Extra HTTP profile configurable options when proxyType is ‘reverse’
Properties (* = required):
| name | type(s) | default | allowed values | description |
|---|---|---|---|---|
| /*/ | ||||
| maxHeaderCount | integer | 64 | 1 - 1024 | When the number of headers in an incoming HTTP request exceeds this value, discard the request and reset the client connection |
| maxHeaderSize | integer | 32768 | 9 - 262144 | When the total size in octets of the headers of an incoming HTTP request exceeds this value, discard the request and reset the client connection |
| truncatedRedirects | boolean | false | true, false | If false (default) elide malformed redirects from pool members, otherwise pass them to client |
HTTP_Profile_Transparent (object)¶
Extra HTTP profile configurable options when proxyType is ‘transparent’
Properties (* = required):
| name | type(s) | default | allowed values | description |
|---|---|---|---|---|
| /*/ | ||||
| excessClientHeaders | string | “pass-through” | “pass-through”, “reject” | When a client request violates maxHeaderCount, either switch to pass-through mode (default) or reject the connection |
| excessServerHeaders | string | “pass-through” | “pass-through”, “reject” | When a pool member response violates maxHeaderCount, either switch to pass-through mode (default) or reject the connection |
| maxHeaderCount | integer | 32 | 1 - 1024 | When the number of headers in a request or response exceeds this value (default 32), take the excessX…Headers action |
| maxHeaderSize | integer | 16384 | 9 - 262144 | When the total size in octets of the headers of request or response exceeds this value (default 16384), take the oversizeX…Headers action |
| oversizeClientHeaders | string | “pass-through” | “pass-through”, “reject” | When a client request violates maxHeaderSize, either switch to pass-through mode (default) or reject the connection |
| oversizeServerHeaders | string | “pass-through” | “pass-through”, “reject” | When a pool member response violates maxHeaderSize, either switch to pass-through mode (default) or reject the connection |
| truncatedRedirects | boolean | true | true, false | If true (default) pass malformed redirects to client |