Hi team,
Since 11.4, I'm not able to use HTTP_RESPONSE_RELEASE nor HTTP_REQUEST_RELEASE if clientlessmode is set to 1. Any idea why these events are not parsed when clientlessmode is enabled ?
Thanks Matt
EmployeeI'm definitely seeing those events in 11.4 HF3. Which version?
Can you try this on a test VIP with simple access policy and see what you get:
when HTTP_REQUEST {
log local0. "here"
HTTP::header insert "clientless-mode" 1
}
when HTTP_RESPONSE {
log local0. "here"
}
when ACCESS_SESSION_STARTED {
log local0. "here"
}
when ACCESS_SESSION_CLOSED {
log local0. "here"
}
when ACCESS_ACL_ALLOWED {
log local0. "here"
}
when ACCESS_POLICY_COMPLETED {
log local0. "here"
}
when HTTP_REQUEST_SEND {
log local0. "here"
}
when HTTP_REQUEST_RELEASE {
log local0. "here"
}
when HTTP_RESPONSE_RELEASE {
log local0. "here"
}
EmployeeHi Kevin,
Wassup ? Thanks for the irule. Actually, my VE lab is running on 11.4 without any HF. I'm trying to make a test with a simple portal access ressource.
Unfortunatly, when I enable clientless mode, I have a weird behavior on the serverside. APM logs show a POST instead of a GET when clientless mode is enabled. Therefore, webserver does not answer anything.
Clientless mode enabled :
Aug 29 18:53:55 BIGIP114 debug apd[24675]: 01490000:7: HTTPParser.cpp func: "parseHttpRequestHeader()" line: 164 Msg: HTTP Method received: POST Aug 29 18:53:55 BIGIP114 debug apd[24675]: 01490000:7: HTTPParser.cpp func: "parseHttpRequestHeader()" line: 193 Msg: HTTP URI received: /
Clientless mode disabled :
Aug 29 18:52:32 BIGIP114 debug apd[24675]: 01490000:7: HTTPParser.cpp func: "parseHttpRequestHeader()" line: 164 Msg: HTTP Method received: GET Aug 29 18:52:32 BIGIP114 debug apd[24675]: 01490000:7: HTTPParser.cpp func: "parseHttpRequestHeader()" line: 193 Msg: HTTP URI received: /my.policy
Any idea how to test clientless mode ?
EmployeeCan you elaborate on your config? Why are you trying to use clientless-mode with a portal resource?
EmployeeKevin,
I managed to reproduce the behavior seen on customer site. I changed my lab with this configuration :
When Clientless mode enabled :
Aug 29 19:42:18 BIGIP114 info tmm1[26636]: Rule /Common/TEST_114 : here Aug 29 19:42:18 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 : here Aug 29 19:42:18 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 : here Aug 29 19:42:18 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 : here
When clientless mode disabled :
Aug 29 19:42:54 BIGIP114 info tmm1[26636]: Rule /Common/TEST_114 : here Aug 29 19:42:54 BIGIP114 info tmm1[26636]: Rule /Common/TEST_114 : here Aug 29 19:42:54 BIGIP114 info tmm1[26636]: Rule /Common/TEST_114 : here
Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 : here Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 : here Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 : here Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 : here Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 : here Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 : here Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 : here Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 : here Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 : here
Conclusion, several events are not parsed when clientless mode is enabled.
A case is opened through the partner, I will check with technical support. Thanks for your help on this deal :-)
See U soon. Matt
EmployeeSorry Kevin, some lines have disappeared :
Clientless mode enabled :
Aug 29 19:42:18 BIGIP114 info tmm1[26636]: Rule /Common/TEST_114 HTTP_REQUEST: here
Aug 29 19:42:18 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 HTTP_REQUEST: here
Aug 29 19:42:18 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 HTTP_REQUEST: here
Aug 29 19:42:18 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 HTTP_REQUEST: here
Clientless mode disabled :
Aug 29 19:42:54 BIGIP114 info tmm1[26636]: Rule /Common/TEST_114 HTTP_REQUEST>: here
Aug 29 19:42:54 BIGIP114 info tmm1[26636]: Rule /Common/TEST_114 ACCESS_SESSION_STARTED>: here
Aug 29 19:42:54 BIGIP114 info tmm1[26636]: Rule /Common/TEST_114 HTTP_RESPONSE_RELEASE>: here
Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 ACCESS_POLICY_COMPLETED>: here
Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 HTTP_REQUEST>: here
Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 ACCESS_ACL_ALLOWED>: here
Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 HTTP_REQUEST_SEND>: here
Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 HTTP_REQUEST_RELEASE>: here
Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 HTTP_RESPONSE>: here
Aug 29 19:43:01 BIGIP114 info tmm[26636]: Rule /Common/TEST_114 HTTP_RESPONSE_RELEASE>: here
EmployeeI'm also going to assume that you do not see the logon page, and that is to be expected with clientless-mode. The primary use case for clientless-mode is to disable the default HTTP redirect mechanism that APM uses to start a policy evaluation. With clientless-mode enabled, the client is NOT redirected to the special policy URI (/my.policy), but rather "falls through" the policy. The session token that is normally sent in the first redirect is now sent in the FIRST RESPONSE from the server. The down side of clientless-mode is that it doesn't generally allow for "blocking" policy objects like message boxes, logon pages, and webtops. AAA objects and SSO do still work.
EmployeeYou do right, with clientless mode enabled I bypass the logon page --> correct. It's what i'm looking for.
I will investigate with the tech support because this Event flow shows that events should be parsed.
EmployeeTry turning off access event restrictions and look again:
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
In any case, while you'll definitely bypass the logon form, you'll also kill the webtop and probably any assigned resources. There are ways around this, but it depends on what you're trying to accomplish.
EmployeeCongrats :-) Make it works.
Thank you so much Kevin.