Forum Discussion

chiewming_15294's avatar
chiewming_15294
Icon for Nimbostratus rankNimbostratus
Jan 18, 2012

HTTP Profile "Maximum Header Size"

Hi All,       Our platform is intended to act as a proxy or transparent proxy to serve ONLY http traffic from handset or laptop. (Non http traffic bypassed at F5 level)      ...
config
design
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jan 18, 2012
Hi Chiewming,

See below for more info:

1.Is this a critical messages?

When this error occurs, TMM resets the client connection.

2.If particular VS hitting too much of this error, what is the expected F5 behavior? stop sending traffic to one of the pool member?

See above. There is no impact on the pool members. TMM simply resets the client connection. Increasing the max headers size in the HTTP profile will force TMM to allocate more memory to store the HTTP headers though.

3.Need input from your security point of view, what value is best approach?

I'd increase the max size in the HTTP profile and use an iRule to log the request details. You can then determine whether the request is malicous, from a poorly designed client or incorrect web app behavior.

4.If we disable “Maximum Header Size” checking, will it cause security issue? Like DOS attack?

This setting can't be disabled, but you could set it to a very large value. I wouldn't recommend this though as you'll eat up more TMM memory.

Here's an iRule you can use to log long header values. Note that the HTTP profile setting for Max HTTP headers size must be greater than the actual request's headers in order to avoid being reset and trigger the HTTP_REQUEST event. This version checks the total headers size before looping through each header. 


when HTTP_REQUEST {

 Check the total HTTP headers size
if {[string length [HTTP::request]] > 10000 }{

 Check if the URI is very long
if {[string length [HTTP::uri]] > 1000}{

log local0. "Uri is long. Length [string length [HTTP::uri]], URI: [HTTP::uri]"

 Exit this event from this iRule
return
}

 Loop through the headers by name
foreach header {[HTTP::header names]} { 

 Check for a long header value
if {[string length [HTTP::header value $header]] > 1000 } { 
log local0. "Header is long. Header Name: $header,\
Length: [string length [HTTP::header value $header]], Value: [HTTP::header value $header]" 
 Exit this event from this iRule
return
}
}

 If we are still here the request was large, but not the URI or any single header.
 Log the first 1k bytes of the full request
log local0. "Request is long: [HTTP::request]"
}
}

Aaron