For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Disabling HTTP Processing For Unrecognized HTTP Methods

Problem this snippet solves: The iRule below disables HTTP processing for requests using HTTP methods that are not recognized by the BIG-IP HTTP profile. For example, Web-based Distributed Authorin...
Published Jan 30, 2015
Version 1.0
application delivery
devops
http
iRules
Vladimir_Akhmarov's avatar
Vladimir_Akhmarov
Icon for Cirrus rankCirrus
Dec 16, 2016

Using this iRule has one limitation for IIS servers acting as a WebDAV distribution point with SSL Offloading on BIG-IP enabled. When SSL Offloading on BIG-IP is enabled and client uses COPY/MOVE method there is a header with name "Destination" that starts with https (because client is connecting to WebDAV with SSL). IIS does not recognises that destination because servers are running as HTTP and expecting http appended string in "Destination" header

Here are my fixed iRule:

 Works for TMOS 11.6.0+
 https://support.f5.com/csp//article/K13285

 Make this iRule to be called the last one because of the HTTP::disable
priority 700

when CLIENT_ACCEPTED
{
     Enable HTTP processing for all requests by default
    HTTP::enable
}

when HTTP_REQUEST
{
     Selectively disable HTTP processing for specific request methods
    switch [HTTP::method]
    {
        "COPY" -
        "MOVE"
        {
             Replace Destination header with http if using SSL Offloading
            if { [HTTP::header Destination] starts_with "https" }
            {
                HTTP::header replace Destination [string map -nocase {https http} [HTTP::header value Destination]]
            }

            HTTP::disable
        }
        "MKCOL" -
        "PROPPATCH"
        {
            HTTP::disable
        }
   }
}