Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

fubarSUSHI's avatar
fubarSUSHI
Icon for Altocumulus rankAltocumulus
Mar 11, 2014

irule help: Limit HTTP Methods to ONLY GET and POST and reject everything else?

Im still trying to figure out the iRule nirvana but I am requesting the help of all y'alls to guide me in the right direction. 

=================
when RULE_INIT {
set good_http_methods [list “GET” “POST"]
}
when HTTP_REQUEST {
    if { [class match [string tolower [HTTP::method]] contains good_http_methods] } {   
        log local0. "good methods [HTTP::method]"
        return
        } else {
        log local0. "rejected methods [HTTP::method]"
        reject 
        }
}
=======================

Or is the negative method better? (I assume it depends if you are half-glass-full vs half-glass-empty type of person?)

==================================
when RULE_INIT {
set sec_http_methods [list "CONNECT" "DELETE" "HEAD" "OPTIONS" "PUT" "TRACE"]
}

when HTTP_REQUEST {
if { [matchclass [HTTP::method] equals $::sec_http_methods] } {
    reject
}
}
==================================

But I found this off of devcentral on ([https://devcentral.f5.com/articles/irule-security-101-02-http-methods-and-cross-site-tracing.Ux9odl5dSzQ]iRule Security 101 2.

application delivery
deployment
design
devops
irules
LTM

4 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 11, 2014

    You could significantly simplify the positive model like this:

    when HTTP_REQUEST {
    if { ( [HTTP::method] equals "GET" ) or ( [HTTP::method] equals "POST" ) } {
        return
    } else {
        reject
    }
}
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 11, 2014

    Further, the class commands work on data groups not lists, so your original iRule (slightly modified):

    when HTTP_REQUEST {
    if { not ( [class match [HTTP::method] equals good_http_methods] ) } {
        reject
    }
}

    would query a string-based data group:

    ltm data-group internal good_http_methods {
    records {
        GET { }
        POST { }
    }
    type string
}
  • fubarSUSHI's avatar
    fubarSUSHI
    Icon for Altocumulus rankAltocumulus
    Mar 11, 2014

    Kevin:

    Would this work if I wanted to log? 
    =========================
when HTTP_REQUEST {
    if { [class match [HTTP::method] equals good_http_methods]} {
        log local0. "good methods [HTTP::method]"
        return
        } else {
        log local0. "rejected methods [HTTP::method]"
        reject
        }
}
=========================

    A question about setup on the data group list?

    Records>String=POST

    Records>Value=? (What do I put there?)
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 11, 2014

    Yes that would work, though it'd be a pretty sparse log entry.

     

    You don't have to put anything in the data group value. We're just evaluating if the data group entry exists.