AFLEX DEBUG
in aFleX
Hello,
I'm working with AFLEX to set some attribute to cookie response, like HttpOnly and Secure.
I've used Misha's work with some customization:
# aFlex per HttpOnly e Secure
# Basato su script di Mischa Peters <mpeters AT a10networks DOT com>
# A10 Networks.
# include esclusione di cookie per CSFR
when RULE_INIT {
set ::DEBUG 0
}
when HTTP_REQUEST {
set PORT [TCP::local_port]
}
when HTTP_RESPONSE {
set current_time [TIME::clock seconds]
foreach cookie_name [HTTP::cookie names] {
if { [HTTP::cookie exists "$cookie_name"] } {
set cookie_value [HTTP::cookie value "$cookie_name"]
set cookie_expires [HTTP::cookie expires "$cookie_name"]
set cookie_domain [HTTP::cookie domain "$cookie_name"]
set cookie_path [HTTP::cookie path "$cookie_name"]
set new_cookie "$cookie_name=$cookie_value"
if { $cookie_expires > $current_time } {
set new_expire [clock format $cookie_expires -format {%a, %d %b %Y %H:%M:%S GMT} -gmt 1]
append new_cookie "; Expires=$new_expire"
}
if { $cookie_domain ne "" } { append new_cookie "; Domain=$cookie_domain" }
if { $cookie_path ne "" } { append new_cookie "; Path=$cookie_path" }
if { $PORT == 443 and $cookie_name ne "XSFR-TOKEN"} { append new_cookie "; Secure" }
if { ($PORT == 80 or $PORT == 443) and $cookie_name ne "XSFR-TOKEN" } { append new_cookie "; HttpOnly" }
if { ($::DEBUG == 1) } { log "Set-Cookie $new_cookie" }
HTTP::cookie remove "$cookie_name"
HTTP::header insert Set-Cookie "$new_cookie"
}
}
}
it seems to work quite well but I can find failure in failure in the SLB AFLEX panel:
HTTPONLY_AND_SECURE HTTP_RESPONSE 492 374 0
Looking in the showtech I was able to find this:
Last 15 runtime errors per thread (event command error):
Thread 0:
Thread 1:
14(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
13(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
12(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
11(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
10(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
9(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
8(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
7(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
6(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
5(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
4(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
3(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
2(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
1(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
15(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
Thread 2:
9(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
8(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
7(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
6(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
5(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
4(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
3(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
2(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
1(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
15(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
14(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
13(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
12(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
11(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
10(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
But I was unable to find out which cookie is incompatible...
Is there a way to debug this issue ?
I'm working with AFLEX to set some attribute to cookie response, like HttpOnly and Secure.
I've used Misha's work with some customization:
# aFlex per HttpOnly e Secure
# Basato su script di Mischa Peters <mpeters AT a10networks DOT com>
# A10 Networks.
# include esclusione di cookie per CSFR
when RULE_INIT {
set ::DEBUG 0
}
when HTTP_REQUEST {
set PORT [TCP::local_port]
}
when HTTP_RESPONSE {
set current_time [TIME::clock seconds]
foreach cookie_name [HTTP::cookie names] {
if { [HTTP::cookie exists "$cookie_name"] } {
set cookie_value [HTTP::cookie value "$cookie_name"]
set cookie_expires [HTTP::cookie expires "$cookie_name"]
set cookie_domain [HTTP::cookie domain "$cookie_name"]
set cookie_path [HTTP::cookie path "$cookie_name"]
set new_cookie "$cookie_name=$cookie_value"
if { $cookie_expires > $current_time } {
set new_expire [clock format $cookie_expires -format {%a, %d %b %Y %H:%M:%S GMT} -gmt 1]
append new_cookie "; Expires=$new_expire"
}
if { $cookie_domain ne "" } { append new_cookie "; Domain=$cookie_domain" }
if { $cookie_path ne "" } { append new_cookie "; Path=$cookie_path" }
if { $PORT == 443 and $cookie_name ne "XSFR-TOKEN"} { append new_cookie "; Secure" }
if { ($PORT == 80 or $PORT == 443) and $cookie_name ne "XSFR-TOKEN" } { append new_cookie "; HttpOnly" }
if { ($::DEBUG == 1) } { log "Set-Cookie $new_cookie" }
HTTP::cookie remove "$cookie_name"
HTTP::header insert Set-Cookie "$new_cookie"
}
}
}
it seems to work quite well but I can find failure in failure in the SLB AFLEX panel:
HTTPONLY_AND_SECURE HTTP_RESPONSE 492 374 0
Looking in the showtech I was able to find this:
Last 15 runtime errors per thread (event command error):
Thread 0:
Thread 1:
14(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
13(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
12(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
11(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
10(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
9(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
8(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
7(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
6(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
5(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
4(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
3(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
2(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
1(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
15(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
Thread 2:
9(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
8(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
7(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
6(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
5(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
4(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
3(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
2(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
1(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
15(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
14(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
13(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
12(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
11(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
10(HTTP_RESPONSE, HTTP::cookie, incompatible cookie)
But I was unable to find out which cookie is incompatible...
Is there a way to debug this issue ?
0
Comments
You might want to just log all cookies and values for a while, and after which log line the error pops up.
It might be an empty cookie, I know there are some issues with the cookie commands when cookies don't have a value.
However the strange thing is that also with this aflex:
when HTTP_REQUEST {
# Set strings for the "client side"
set time_client_request [TIME::clock seconds]
set clicks_client_request [TIME::clock milliseconds]
set date_time_request [clock format $time_client_request -format {%Y-%m-%d %H:%M:%S} ]
set c_ip [IP::client_addr]
set cs_uri_stem [HTTP::host][HTTP::uri]
set cs_method [HTTP::method]
set s_ip [IP::local_addr]
set s_port [TCP::local_port]
set host [HTTP::host]
if {[HTTP::query] equals ""} {
set cs_uri_query [HTTP::query]
} else { set cs_uri_query "-"
}
if {[HTTP::header exists Content-Length]} {
set cs_bytes [HTTP::header Content-Length]
} else { set cs_bytes "-"
}
if {[HTTP::header exists Referer]} {
set cs_Referer [HTTP::header "Referer"]
} else { set cs_Referer "-"
}
set cs_UserAgent [string map {" " "+"} [HTTP::header "User-Agent"]]
}
when HTTP_RESPONSE {
# Set strings for the "server side"
set clicks_server_response [TIME::clock milliseconds]
set sc_status [HTTP::status]
if {[HTTP::header exists Content-Length]} {
set sc_bytes [HTTP::header Content-Length]
} else { set sc_bytes "-"
}
# Correct TCL Bug with floating point values
set time_taken [expr $clicks_server_response - $clicks_client_request ]
if {$time_taken < 10} {
set final_time_taken [string range "0.00$time_taken" 0 4]
} elseif { $time_taken < 100 } {
set final_time_taken [string range "0.0$time_taken" 0 4]
} elseif { $time_taken < 1000} {
set final_time_taken [string range "0.$time_taken" 0 4]
} else {
set final_time_taken "[string index $time_taken 0].[string range $time_taken 1 3 ]"
}
# Format strings for logging
set log_str "$date_time_request $c_ip $s_ip $s_port $cs_method $cs_uri_stem $cs_uri_query $sc_status $sc_bytes $cs_bytes $final_time_taken $cs_UserAgent $cs_Referer"
#set log_str "$date_time_request $c_ip $s_ip $s_port $cs_method #$cs_uri_stem $cs_uri_query $sc_status $sc_bytes $cs_bytes $cs_UserAgent #$cs_Referer"
# write to syslog with Debug level
log local0.6 $log_str
# write to AX log (turn this for troubleshooting only, as you may have a lot of requests / second)
# log $log_str
}
that was built to mimic W3C logging with forwarding to a centralized syslog server, show the same error in show tech and the same behavior of failure in slb panel however logs are builded and forwared correctly.
This is quite weird because in this case I didn't touch cookie in any way but the message in show tech is always the same...
I think there's still some investigation to do, in fact at the moment there are non problem at all but I have no idea if this could be an issue in case traffic to vip increase. I hope to find a way to better understand this.