关于Standard virtual server with Layer 7 functionality

前几天同事发现telnet 我们网站的80端口，很长时间都出于连接状态，可能会有安全隐患，对比其他大型网站10几秒就会自动断开，弹出Connection closed by foreign host. 于是乎自己动手测试验证一把。

1）直接telnet连接到内网服务器的80端口进行测试，发现1分钟左右都可以自动断开，弹出Connection closed by foreign host

2）telnet到F5上面不同的VS地址的80端口，发现了不同的情况，有的VS会弹出Connection closed by foreign host，但是主页的却不会，分析了一下VS的不同设置，估计设置了http profile的原因。

3）查找之前在ask.f5上看到关于不同VS类型下tcp连接的不同情况分析，等到了验证

Standard virtual server with Layer 7 functionality

f a Standard virtual server is configured with Layer 7 functionality, such as an HTTP profile, the client must send at least one data packet before the server-side connection can be initiated by the BIG-IP LTM.

Note: The BIG-IP LTM may initiate the server-side connection prior to the first data packet for certain Layer 7 applications, such as FTP, in which the user waits for a greeting banner before sending any data.

The TCP connection set-up behavior for a Standard virtual server with Layer 7 functionality operates as follows: the three-way TCP handshake and initial data packet are processed on the client side of the connection before the LTM initiates the TCP handshake on the server side of the connection.

A Standard virtual server with Layer 7 functionality processes connections using the full proxy architecture. The following TCP flow diagram illustrates the TCP handshake for a Standard virtual server with Layer 7 functionality:
4）在standard模式下设置了http profile就会使得TCP连接变成full proxy，这样的话client发起的tcp连接先到F5,有了GET请求才会发起连接到真实的服务器，所以telnet的连接只会到达F5，所以服务器断开超时连接也只是断开和F5的连接

5）经过验证，在这种情况下，F5和客户端的连接超时值取决于TCP profile里面的idle timeout，默认是300秒，没有看到超时后F5会发送reset，所以client也没有Connection closed by foreign host，只是用b conn查看连接已经不存在，但是设置idle timeout为60秒，超时后会发送reset包，这个无法解释。

6）如果没有使用http profile，则standard模式下，client发起的连接会直接到达服务器，这样server会有timeout值，一般会小于300S,超时会直接关闭连接。

通过测试，进一步理解了F5 Standard模式下full proxy的实现机制。