Forum Discussion

cg1603's avatar
cg1603
Icon for Nimbostratus rankNimbostratus
Jul 09, 2025

irule to block a non valid url

Hi,

we send web traffic to our F5 APM, this traffic is analyzed by an Elasticsearch server

Sometimes our APM receives an invalid http request that causes problems on our Elasticsearch server.

The URL contains a lot of special characters

Is there any idea for a rule to block such invalid requests?

correct
xxxx TECH_REQUEST w.x.y.z:42426 CONNECT vcsa.vmware.com:443 1 Internet_SrvUpdates 708b5c79 (ALLOWED_WILDCARD)

incorrect
xxxx TECH_REQUEST w.x.y.z :52900 ��_ ��[� ��+��>�©L��^'�9����&�,�+�$�#� 1 Internet_SrvUpdates 708b5c79 (BLOCKED_NO_WILDCARD_OR_TUPLE)

many thanks

2 Replies

  • Hello cg1603​ 
    From your example seems that host header is malformed also

    So my first approach would be to accept only valid host header as a starting point with an irule like this

    when HTTP_REQUEST 
    {
        switch -- [string tolower [HTTP::host]] 
    	{
            "www.example.com"
    		{
                # Valid Host — allow request
                return
            }
            default 
    		{
                log local0. "Blocked invalid Host: $host from [IP::client_addr]"
                HTTP::respond 403 content "Forbidden - Invalid Host"
            }
        }
    }

     

  • Hi,

     

    I hope you are you are not getting this request on actual http traffic.You can write an iRule to inspect the first few bytes of the payload and drop anything that's clearly not a valid HTTP request.

    Like, Checks if it starts with common HTTP methods (GET, POST, CONNECT, etc.). if its not block it. Sample like 

    Try the syntax as well when you write it in any test environment first pls- 

     

    when CLIENT_ACCEPTED {
        TCP::collect 16
    }

    when CLIENT_DATA {
        # Extract first few bytes
        set first_bytes [TCP::payload 16]

        # If it doesn't start with HTTP methods, it's probably invalid
        if { !([string match -nocase "GET*" $first_bytes] ||
               [string match -nocase "POST*" $first_bytes] ||
               [string match -nocase "HEAD*" $first_bytes] ||
               [string match -nocase "PUT*" $first_bytes] ||
               [string match -nocase "OPTIONS*" $first_bytes] ||
               [string match -nocase "DELETE*" $first_bytes] ||
               [string match -nocase "CONNECT*" $first_bytes]) } {

            log local0. "Blocked invalid HTTP request from [IP::client_addr]:[TCP::client_port] - first bytes: $first_bytes"
            reject
            return
        }

        # Allow valid request
        TCP::release
    }