Forum Discussion
muntae_kim
Cirrus
CirrusHow to use ‘PURGE’ and ‘PURGE_URL’ Method in F5 DoS products
Hello, My name is Muntae Kim.
How to allow ‘PURGE’ and ‘PURGE_URL’ Method in F5 DDoS product
BIG-IP version:
- BIG-IP 16.1.3.1
- DDoS Hybrid Defender 16.1.0-9.0.20
When the server in the section passing through the F5 DDoS product executes the following curl command, a connection cannot be established due to a connection reset message.
[root@uxe1253 ~]# curl -X PURGE ep0325.ehosting.cafe24.com
curl: (56) Recv failure: Connection reset by peer
I need to allow methods for 'PURGE' and 'PURGE_URL' in F5. Can you tell me how to set this?
Thank you.
- Heath_Parrott
Employee
Normally if a connection is blocked by an F5 security product and HTTP is involved a 200 OK with an error code via the body is presented and a connection is not simply dropped so I would recommend a packet capture to validate where the TCP connection is dropped.
PURGE and PURGE_URL are non standard HTTP methods and are not listed in any RFC. If the TCP connection being dropped by BIG-IP there is a virtual server processing the traffic that has an HTTP security profile applied to it and the methods in question are not on the allowed list via a custom method.
I took a quick look at an HTTP protocol security profile in AFM which shows that PURGE and PURGE_URL are not in our standard list of methods. To allow them one needs to explicitly create them via Security --> Security Profiles --> HTTP. The exact details of the configuration will vary based on how the system is setup and the documentation on the product. I recommend a case be opened to further investigate the config setting you need since DDoS hybrid defender also has wizards that may obfuscate the setting or require other settings be touched.
muntae_kimhello. Thank you for your reply.
I previously confirmed that Allow for PURGE_URL is possible when creating iRules as follows. Please review whether the requested item cannot be implemented with the iRules.
(In addition, url_destroy was a syntax that did not work in that version.)
- Edit the iRule:
In the "Definition" section, add the following iRule script:
when HTTP_REQUEST {
if {[HTTP::method] equals "PURGE" || [HTTP::method] equals "PURGE_URL"} {
set allow_purge_method 1
}
}
when HTTP_RESPONSE {
if { [info exists allow_purge_method] } {
unset allow_purge_method
set respond_purge_method 1
}
}
when RULE_INIT {
set respond_purge_method 0
set allow_purge_method 0
}
when RULE_DESTROY {
if { [info exists allow_purge_method] } {
unset allow_purge_method
}
}
Heath_Parrott - can you please help answer this question, or tag someone who can?
