HealthChecks from F5 LB causing Router "Missing host" errors

Not applicable

Hi,

I have F5 LBs in front of my apigee instance, however I do not have control over the F5's and getting changes implemented is a hassle. So, I was wondering if there is a good way of dealing with LBs sending healthchecks without Host headers, my goal is to get rid of apigee writing 7000+ errors per hour (2 environments, LBs trying to ping both envs, once per second = 7200 per hour) to the logs. It wastes resources and makes the logs that much more difficult to look through as well.

2015-10-07 00:00:21,420 Router-ServerThread-2 ERROR Request-processor - ValidateHostHeader.process() : Message xxxxx.com_BT/beKAE_RouterProxy-6-12439661_1 Missing host header

Thanks!

Ryan

0 9 629
9 REPLIES 9

Not applicable

I believe we fixed this by adding the ip address and port that was being forwarded to the host header....

(To be honest I had someone ask me why we did this a couple of months ago and did didnt dawn on me why... now i know!)

so our F5 takes a request at a URL/IP, and then the pool that we map to has the IP addresses of the routers w/ the correct ports that the environment lives on.

We then added both the URL from the LB and the IP address + port from the pool to the host header entry on Apigee (note this is IN apigee).

I only suggest this because we.. well.. we dont get any of these errors in this configuration.

1316-virtual-host-config.jpg

So you can do this w/ API calls:

A default (un-updated) default virtual host might look something like this (Thank You Bernhard!)

[root@Centos64-101 ~]# curl -u $CRED http://<mgmt-ip>:8080/v1/o/acme/e/test/virtualhosts/default

{

"hostAliases" : [ ],

"interfaces" : [ ],

"name" : "default",

"port" : "9001"

}

You can give it a domain name to reply to like this:

[root@Centos64-101 ~]# curl -u $CRED http://<mgmt-ip>:8080/v1/o/acme/e/test/virtualhosts/default -X PUT -d '{"hostAliases":["mygateway.mydomain.com"], "name":"default", "port":9001}' -H "Content-Type:application/json"

{

"hostAliases" : [ "mygateway.mydomain.com" ],

"interfaces" : [ ],

"name" : "default",

"port" : "9001"

}

And you can then add alternate headers (ips that your F5 knows how to talk to) like this:

[root@Centos64-101 ~]# curl -u $CRED http://<mgmt-ip>:8080/v1/o/acme/e/test/virtualhosts/default

{

"hostAliases" : [ "mygateway.mydomain.com", "192.168.5.20:9001", "192.168.5.50:9001"],

"interfaces" : [ ],

"name" : "default",

"port" : "9001"

}

The end goal being.. well.. the IP addresses that the F5 will be addressing your server as in the host header list. My understanding is that most F5 configs really rely on IP and not on URL - so this will probably fix your problem.

The TCP checks can then be directed to the pool members (which are 192.168.5.20:9001 and 192.168.5.50:9001 above) and they should work w/o generating spam in the Apigee logs.

Yes, that would work. But I was wondering if there was anything from the apigee side since I don't have easy access to making changes to the F5 :).

one sec - im editing and lost my edits 🙂

im trying to put together some commands that will let you do this but they present like garbage in this interface.

@Benjamin Goldman did you try using "CODE" from the wysiwyg ?

that actually made it worse :( im working on it.. will edit back into the answer.

if nothing works, would suggest adding it as an attachment. sorry about that

Losing edits is never fun :(.

And I think our situations are slightly different. Our calls come into F5, all on port 443, and then are forwarded to the routers depending on the hostname the client uses (dev.api..., sit.api..., etc). That all works with SSL and everything.

The problem lies in that when the F5 makes healthcheck calls to the routers, it does so without including ANY host header and as soon as apigee sees that there is no host header in the request it throws the above error. So I am not sure if adding additional aliases would help.

my understanding is that F5 out of the box TCP healthcheck is against the ip addresses in the load balancing pool - and will pass the IP address as the header.

the thing to do is to ask your network people to tell you what the LB pool looks like. It is very likely a list of hosts on a port. It MIGHT be a list of hosts on a port with an SSL protocol, in which case you have more work to do...

you will have to use a different healthcheck - because TCP healthcheck isnt ssl 🙂

in either case - the F5 doesnt know how to talk to a server by FQDN. They work on IP addresses. Its annoying but its true. So if the virtual host doesnt know how to be talked to as an ip address the healthcheck from the F5 wont work.