For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

fubarSUSHI's avatar
fubarSUSHI
Icon for Altocumulus rankAltocumulus
Mar 11, 2014

irule help: Limit HTTP Methods to ONLY GET and POST and reject everything else?

Im still trying to figure out the iRule nirvana but I am requesting the help of all y'alls to guide me in the right direction. 

=================
when RULE_INIT {
set good_http_methods [list “GET” “POST"]
}
when HTTP_REQUEST {
    if { [class match [string tolower [HTTP::method]] contains good_http_methods] } {   
        log local0. "good methods [HTTP::method]"
        return
        } else {
        log local0. "rejected methods [HTTP::method]"
        reject 
        }
}
=======================

Or is the negative method better? (I assume it depends if you are half-glass-full vs half-glass-empty type of person?)

==================================
when RULE_INIT {
set sec_http_methods [list "CONNECT" "DELETE" "HEAD" "OPTIONS" "PUT" "TRACE"]
}

when HTTP_REQUEST {
if { [matchclass [HTTP::method] equals $::sec_http_methods] } {
    reject
}
}
==================================

But I found this off of devcentral on ([https://devcentral.f5.com/articles/irule-security-101-02-http-methods-and-cross-site-tracing.Ux9odl5dSzQ]iRule Security 101 2.

application delivery
deployment
design
devops
iRules
LTM

4 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 11, 2014

    You could significantly simplify the positive model like this:

    when HTTP_REQUEST {
    if { ( [HTTP::method] equals "GET" ) or ( [HTTP::method] equals "POST" ) } {
        return
    } else {
        reject
    }
}
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 11, 2014

    Further, the class commands work on data groups not lists, so your original iRule (slightly modified):

    when HTTP_REQUEST {
    if { not ( [class match [HTTP::method] equals good_http_methods] ) } {
        reject
    }
}

    would query a string-based data group:

    ltm data-group internal good_http_methods {
    records {
        GET { }
        POST { }
    }
    type string
}
  • fubarSUSHI's avatar
    fubarSUSHI
    Icon for Altocumulus rankAltocumulus
    Mar 11, 2014

    Kevin:

    Would this work if I wanted to log? 
    =========================
when HTTP_REQUEST {
    if { [class match [HTTP::method] equals good_http_methods]} {
        log local0. "good methods [HTTP::method]"
        return
        } else {
        log local0. "rejected methods [HTTP::method]"
        reject
        }
}
=========================

    A question about setup on the data group list?

    Records>String=POST

    Records>Value=? (What do I put there?)
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 11, 2014

    Yes that would work, though it'd be a pretty sparse log entry.

     

    You don't have to put anything in the data group value. We're just evaluating if the data group entry exists.