Forum Discussion

Rachel's avatar
Rachel
Icon for Nimbostratus rankNimbostratus
Apr 04, 2019

Need to reject traffic based on header names not values

We have a need to reject traffic based on the case of the header names not header values.

 

For example: Let's say the header name is Trueheader. If a payload comes in with a header name of TRUEheader, it needs to be rejected.

 

I'm having difficulty capturing the header names to test the case. Is this possible with an iRule?

 

Thanks in advance for any assistance.

 

devops
iRules
LTM
security
  • rob_carr's avatar
    rob_carr
    Icon for Cirrocumulus rankCirrocumulus
    Apr 04, 2019

    Yes, you can do this, via the HTTP::header names command, which returns a list of headers in the request or response, and then iterate through the list using the HTTP::headers count command and lindex.

     

    I'm not sure about the overall efficiency (you'd have to test), but I would extract the list of header names, and make a lowercase comparison to your check value (e.g. 'trueheader') if and only if that comparison was valid, I would make a second check, comparing the actual case of the header name your your check value. If you match on the lowercase comparison, but not the actual case comparison, you know that you've come across a variant form of your header name and you can reject the configuration.

     

  • Andy_McGrath's avatar
    Andy_McGrath
    Icon for Cumulonimbus rankCumulonimbus
    Apr 04, 2019

    Alternatively you can just use 

    HTTP::header exists
    command in your iRule, e.g.

    when HTTP_REQUEST {
    if {[HTTP::header exists "Trueheader"]} {
         reject or redirect
        reject
    }
}
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Apr 05, 2019

    Hi Rachel,

    to check if a given request contains a badly formated HTTP header name, you may use the iRule below. It first checks if the request does not contain the correctly formated 

    Trueheader
    . If a correctly formated 
    Trueheader
    is not found, it continues to check if an other-wise formated 
    TrUeHeAdEr
    exists in the request. If an other-wise formated 
    TrUeHeAdEr
    is found, it will send a HTTP-400 bad request to the client...

    when HTTP_REQUEST {
    if { ( [lsearch -exact [HTTP::header names] "Trueheader"] == -1 ) 
     and ( [lsearch -exact [string tolower [HTTP::header names]] "trueheader"]  >= 0 ) } then {
        HTTP::respond 400 content "BAD REQUEST"
        return
    }
}

    I guess it would be also solution to transparently replace 

    TrUeHeAdEr
    with 
    Trueheader
    , isn't it? If so then you may check out the iRule below. Instead of sending a HTTP-400 bad request it will store the value of the other-wise formated 
    TrUeHeAdEr
    into a 
    $trueheader
    variable, remove the 
    TrUeHeAdEr
    and finally add a correctly formated 
    Trueheader
    with the value stored in the 
    $trueheader
    variable.

    when HTTP_REQUEST {
    if { ( [lsearch -exact [HTTP::header names] "Trueheader"] == -1 ) 
     and ( [lsearch -exact [string tolower [HTTP::header names]] "trueheader"]  >= 0 ) } then {
        set trueheader [HTTP::header value "trueheader"]
        HTTP::header remove "trueheader"
        HTTP::header insert "Trueheader" $trueheader
    }
}

    Cheers, Kai