Forum Discussion
irule to block a non valid url
Hi,
we send web traffic to our F5 APM, this traffic is analyzed by an Elasticsearch server
Sometimes our APM receives an invalid http request that causes problems on our Elasticsearch server.
The URL contains a lot of special characters
Is there any idea for a rule to block such invalid requests?
correct
xxxx TECH_REQUEST w.x.y.z:42426 CONNECT vcsa.vmware.com:443 1 Internet_SrvUpdates 708b5c79 (ALLOWED_WILDCARD)
incorrect
xxxx TECH_REQUEST w.x.y.z :52900 ��_ ��[� ��+��>�©L��^'�9����&�,�+�$�#� 1 Internet_SrvUpdates 708b5c79 (BLOCKED_NO_WILDCARD_OR_TUPLE)
many thanks
2 Replies
- Injeyan_Kostas
Nacreous
Hello cg1603
From your example seems that host header is malformed alsoSo my first approach would be to accept only valid host header as a starting point with an irule like this
when HTTP_REQUEST { switch -- [string tolower [HTTP::host]] { "www.example.com" { # Valid Host — allow request return } default { log local0. "Blocked invalid Host: $host from [IP::client_addr]" HTTP::respond 403 content "Forbidden - Invalid Host" } } }
Hi,
I hope you are you are not getting this request on actual http traffic.You can write an iRule to inspect the first few bytes of the payload and drop anything that's clearly not a valid HTTP request.
Like, Checks if it starts with common HTTP methods (GET, POST, CONNECT, etc.). if its not block it. Sample like
Try the syntax as well when you write it in any test environment first pls-
when CLIENT_ACCEPTED {
TCP::collect 16
}when CLIENT_DATA {
# Extract first few bytes
set first_bytes [TCP::payload 16]# If it doesn't start with HTTP methods, it's probably invalid
if { !([string match -nocase "GET*" $first_bytes] ||
[string match -nocase "POST*" $first_bytes] ||
[string match -nocase "HEAD*" $first_bytes] ||
[string match -nocase "PUT*" $first_bytes] ||
[string match -nocase "OPTIONS*" $first_bytes] ||
[string match -nocase "DELETE*" $first_bytes] ||
[string match -nocase "CONNECT*" $first_bytes]) } {log local0. "Blocked invalid HTTP request from [IP::client_addr]:[TCP::client_port] - first bytes: $first_bytes"
reject
return
}# Allow valid request
TCP::release
}
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com