CacheFlow appliance returns a 400 bad request on non standard HTTP request headers
search cancel

CacheFlow appliance returns a 400 bad request on non standard HTTP request headers


Article ID: 165431


Updated On:


CacheFlow Appliance Software


Some custom HTTP applications don't fully comply with the RFC for HTTP.
In the below example, a packet capture shows that there is no HTTP request header. As a result, the CacheFlow returns a HTTP/1.1 400 error: = OCS and = Client

1    0.000000    1777    TCP    80    62    powerguardian > http [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
2    0.000446    80    TCP    1777    62    http > powerguardian [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 SACK_PERM=1
3    0.000469    1777    TCP    80    54    powerguardian > http [ACK] Seq=1 Ack=1 Win=17520 Len=0
4    0.002422    1777    HTTP    80    138    Continuation or non-HTTP traffic --> [non standard HTTP request headers]
-Hypertext Transfer Protocol
-Data (84 bytes)
-Data: 130120f5fcffff4000000034000000000000000049953b64...

5    0.003349    80    HTTP    1777    896    HTTP/1.1 400 Bad Request  (text/html)

Follow TCP Stream

.. [email protected].;d....~.8...^T[......*..eL..Z!R.....@.....^..8..%lH...,....... -->[non standard HTTP request headers]

HTTP/1.1 400 Bad Request
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Connection: close
Content-Length: 691

<TITLE>Request Error</TITLE>

In this case, the CacheFlow returns a  400 bad request error to the client.



To permit nonstandard HTTP traffic to flow through the CacheFlow Appliance, you can enable a non-HTTP trigger via the CLI:

MyCF#conf t
MyCF#(config proxy-services)dynamic-bypass
MyCF#(config dynamic-bypass)trigger non-http
MyCF#(config dynamic-bypass)view config

Dynamic Bypass Settings:
    Timeout: 60 minutes
    Max Entries: 10000
    Server Threshold: 4
    Dynamic bypass: enabled
      Asymmetric route trigger: disabled
      Non-HTTP trigger: enabled                     --> Enabled
      HTTP connect error trigger: enabled
      HTTP receive error trigger: enabled
      HTTP 5xx trigger: disabled

Alternatively, you can set the OCS IP address in to static-bypass list

 CF5000#(config proxy-services)static-bypass
 CF5000#(config static-bypass)add all