Disabling HTTP Processing For Unrecognized HTTP Methods

Problem this snippet solves:

The iRule below disables HTTP processing for requests using HTTP methods that are not recognized by the BIG-IP HTTP profile. For example, Web-based Distributed Authoring and Versioning (WebDAV) uses the following extended HTTP methods: PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK. Requests using one of these methods may provoke the behavior described in AskF5 SOL7581: https://support.f5.com/kb/en-us/solutions/public/7000/500/sol7581.html?sr=2105288 Unrecognized HTTP methods without a specified content-length or chunking header can cause the connection to stall . Use of these or other methods not described in RFC2616 (HTTP/1.1) may require an iRule similar to the following associated with the virtual server which disables further HTTP processing when they are seen.

How to use this snippet:

Note: You may have to disable the "HTTP::enable" command with a comment if using the iRule on an APM protected virtual service.

Code :

when CLIENT_ACCEPTED {
   # Enable HTTP processing for all requests by default
   HTTP::enable
}
when HTTP_REQUEST {
   # selectively disable HTTP processing for specific request methods
   switch [HTTP::method] {
      "MOVE" -
      "COPY" -
      "LOCK" -
      "UNLOCK" -
      "PROPFIND" -
      "PROPPATCH" -
      "MKCOL" { HTTP::disable }
   }
}
Published Jan 30, 2015
Version 1.0
application delivery
devops
http
iRules
  • Vladimir_Akhmarov's avatar
    Vladimir_Akhmarov
    Icon for Cirrus rankCirrus
    Dec 16, 2016

    Using this iRule has one limitation for IIS servers acting as a WebDAV distribution point with SSL Offloading on BIG-IP enabled. When SSL Offloading on BIG-IP is enabled and client uses COPY/MOVE method there is a header with name "Destination" that starts with https (because client is connecting to WebDAV with SSL). IIS does not recognises that destination because servers are running as HTTP and expecting http appended string in "Destination" header

    Here are my fixed iRule:

     Works for TMOS 11.6.0+
 https://support.f5.com/csp//article/K13285

 Make this iRule to be called the last one because of the HTTP::disable
priority 700

when CLIENT_ACCEPTED
{
     Enable HTTP processing for all requests by default
    HTTP::enable
}

when HTTP_REQUEST
{
     Selectively disable HTTP processing for specific request methods
    switch [HTTP::method]
    {
        "COPY" -
        "MOVE"
        {
             Replace Destination header with http if using SSL Offloading
            if { [HTTP::header Destination] starts_with "https" }
            {
                HTTP::header replace Destination [string map -nocase {https http} [HTTP::header value Destination]]
            }

            HTTP::disable
        }
        "MKCOL" -
        "PROPPATCH"
        {
            HTTP::disable
        }
   }
}
  • Jason_Adams's avatar
    Jason_Adams
    Icon for Employee rankEmployee
    Mar 09, 2017

    OPTIONS should be added to the switch statement:

    The Linked DevCentral Article needs to be updated to include 'OPTIONS' HTTP Request Method.

    when HTTP_REQUEST {
    selectively disable HTTP processing for specific request methods
   switch [HTTP::method] {
      "MOVE" -
      "COPY" -
      "LOCK" -
      "UNLOCK" -
      "OPTIONS" -
      "PROPFIND" -
      "PROPPATCH" -
      "MKCOL" { HTTP::disable }
   }
}
  • Roy_Jee's avatar
    Roy_Jee
    Icon for Nimbostratus rankNimbostratus
    Sep 04, 2019

    How can we disable HTTP HEAD method as per PCI compliance