Forum Discussion
AltocumulusiRule to Block HTTP POST if contains string
I would like an iRule that drops an HTTP POST if it contains a certain string. I think I can do something like the following, but not sure what statement to use to perform the actual dropping of the packet.
when HTTP_REQUEST {
if { ( [string tolower [HTTP::uri]] contains "foo" ) and ( [HTTP::method] equals "POST" ) } {
# Some logic to drop this traffic
log local0. "HTTP POST contained string foo"
}
}
3 Replies
- Mayur_Sutare
MVP
Do you mean to block specific string in URI or block specific word during HTTP POST. If it's 2nd requirement, please refer below.
https://devcentral.f5.com/s/question/0D51T00006i7hpJSAQ/irule-to-block-requests-with-specific-word
Mayur
spivHi Mayur,
Thanks for your reply. I mean, to drop it if the HTTP POST contains the string (not the URI itself). Thanks, that link was helpful.
- spiv
I am trying to solve the same problem as the OP that Mayur pointed me to (which I just noticed even has the same exact problem string).
https://devcentral.f5.com/s/question/0D51T00006i7hpJSAQ/irule-to-block-requests-with-specific-word
I am wondering about the consequence of not limiting the Content-Length of the HTTP POST. When I use the limit, some users are unable to POST images. I could make the Content-Length limit larger, but what if I do not impose a limit at all? Is it vulnerable to DoS? For instance, I imagine TMM must store and parse the HTTP payload of every HTTP POST for a string. It seems possible to get many relatively large payloads in a short time. I don't know what the processor or memory constraints are (relative to a given iRule on a given virtual server). Is it dynamically allocated from a global resource pool to individual instances as needed, or does each individual virtual server or each iRule's TMM thread have predefined resource allocation (I/O and mem).
