For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

cg1603's avatar
cg1603
Icon for Nimbostratus rankNimbostratus
Jul 09, 2025

irule to block a non valid url

Hi, we send web traffic to our F5 APM, this traffic is analyzed by an Elasticsearch server Sometimes our APM receives an invalid http request that causes problems on our Elasticsearch server. The ...
irule
Aswin_mk's avatar
Aswin_mk
Icon for MVP rankMVP
Jul 15, 2025

Hi,

 

I hope you are you are not getting this request on actual http traffic.You can write an iRule to inspect the first few bytes of the payload and drop anything that's clearly not a valid HTTP request.

Like, Checks if it starts with common HTTP methods (GET, POST, CONNECT, etc.). if its not block it. Sample like 

Try the syntax as well when you write it in any test environment first pls- 

 

when CLIENT_ACCEPTED {
    TCP::collect 16
}

when CLIENT_DATA {
    # Extract first few bytes
    set first_bytes [TCP::payload 16]

    # If it doesn't start with HTTP methods, it's probably invalid
    if { !([string match -nocase "GET*" $first_bytes] ||
           [string match -nocase "POST*" $first_bytes] ||
           [string match -nocase "HEAD*" $first_bytes] ||
           [string match -nocase "PUT*" $first_bytes] ||
           [string match -nocase "OPTIONS*" $first_bytes] ||
           [string match -nocase "DELETE*" $first_bytes] ||
           [string match -nocase "CONNECT*" $first_bytes]) } {

        log local0. "Blocked invalid HTTP request from [IP::client_addr]:[TCP::client_port] - first bytes: $first_bytes"
        reject
        return
    }

    # Allow valid request
    TCP::release
}