CacheFlow appliance returns a 400 bad request on non standard HTTP request headers
search cancel

CacheFlow appliance returns a 400 bad request on non standard HTTP request headers

book

Article ID: 165431

calendar_today

Updated On:

Products

CacheFlow Appliance Software

Issue/Introduction

Some custom HTTP applications don't fully comply with the RFC for HTTP.
In the below example, a packet capture shows that there is no HTTP request header. As a result, the CacheFlow returns a HTTP/1.1 400 error:
 

110.75.66.80 = OCS and 10.105.14.254 = Client

1    0.000000    10.105.14.254    1777    110.75.66.80    TCP    80    62    powerguardian > http [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
2    0.000446    110.75.66.80    80    10.105.14.254    TCP    1777    62    http > powerguardian [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 SACK_PERM=1
3    0.000469    10.105.14.254    1777    110.75.66.80    TCP    80    54    powerguardian > http [ACK] Seq=1 Ack=1 Win=17520 Len=0
4    0.002422    10.105.14.254    1777    110.75.66.80    HTTP    80    138    Continuation or non-HTTP traffic --> [non standard HTTP request headers]
-Hypertext Transfer Protocol
-Data (84 bytes)
-Data: 130120f5fcffff4000000034000000000000000049953b64...

5    0.003349    110.75.66.80    80    10.105.14.254    HTTP    1777    896    HTTP/1.1 400 Bad Request  (text/html)

Follow TCP Stream
===============

.. [email protected].;d....~.8...^T[......*..eL..Z!R.....@.....^..8..%lH...,....... -->[non standard HTTP request headers]

HTTP/1.1 400 Bad Request
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Connection: close
Content-Length: 691

<HTML><HEAD>
<TITLE>Request Error</TITLE>
</HEAD>
<BODY>

In this case, the CacheFlow returns a  400 bad request error to the client.

 

Resolution

To permit nonstandard HTTP traffic to flow through the CacheFlow Appliance, you can enable a non-HTTP trigger via the CLI:

MyCF#conf t
MyCF#(config)proxy-services
MyCF#(config proxy-services)dynamic-bypass
MyCF#(config dynamic-bypass)trigger non-http
MyCF#(config dynamic-bypass)view config

Dynamic Bypass Settings:
    Timeout: 60 minutes
    Max Entries: 10000
    Server Threshold: 4
    Dynamic bypass: enabled
      Asymmetric route trigger: disabled
      Non-HTTP trigger: enabled                     --> Enabled
      HTTP connect error trigger: enabled
      HTTP receive error trigger: enabled
      HTTP 5xx trigger: disabled
 

Alternatively, you can set the OCS IP address in to static-bypass list

 CF5000#(config)proxy-service
 CF5000#(config proxy-services)static-bypass
 CF5000#(config static-bypass)add all 211.154.172.58

 

 

 

Powered by Wolken Software