Disabling HTTP Processing For Unrecognized HTTP Methods
Problem this snippet solves:
The iRule below disables HTTP processing for requests using HTTP methods that are not recognized by the BIG-IP HTTP profile. For example, Web-based Distributed Authoring and Versioning (WebDAV) uses the following extended HTTP methods: PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK. Requests using one of these methods may provoke the behavior described in AskF5 SOL7581: https://support.f5.com/kb/en-us/solutions/public/7000/500/sol7581.html?sr=2105288 Unrecognized HTTP methods without a specified content-length or chunking header can cause the connection to stall . Use of these or other methods not described in RFC2616 (HTTP/1.1) may require an iRule similar to the following associated with the virtual server which disables further HTTP processing when they are seen.How to use this snippet:
Note: You may have to disable the "HTTP::enable" command with a comment if using the iRule on an APM protected virtual service.Code :
when CLIENT_ACCEPTED { # Enable HTTP processing for all requests by default HTTP::enable } when HTTP_REQUEST { # selectively disable HTTP processing for specific request methods switch [HTTP::method] { "MOVE" - "COPY" - "LOCK" - "UNLOCK" - "PROPFIND" - "PROPPATCH" - "MKCOL" { HTTP::disable } } }
Published Jan 30, 2015
Version 1.0Deb_Allen_18
Historic F5 Account
Joined September 25, 2004
Deb_Allen_18
Historic F5 Account
Joined September 25, 2004
- Roy_JeeNimbostratus
How can we disable HTTP HEAD method as per PCI compliance
- Jason_AdamsEmployee
OPTIONS should be added to the switch statement:
The Linked DevCentral Article needs to be updated to include 'OPTIONS' HTTP Request Method.
when HTTP_REQUEST { selectively disable HTTP processing for specific request methods switch [HTTP::method] { "MOVE" - "COPY" - "LOCK" - "UNLOCK" - "OPTIONS" - "PROPFIND" - "PROPPATCH" - "MKCOL" { HTTP::disable } } }
Using this iRule has one limitation for IIS servers acting as a WebDAV distribution point with SSL Offloading on BIG-IP enabled. When SSL Offloading on BIG-IP is enabled and client uses COPY/MOVE method there is a header with name "Destination" that starts with https (because client is connecting to WebDAV with SSL). IIS does not recognises that destination because servers are running as HTTP and expecting http appended string in "Destination" header
Here are my fixed iRule:
Works for TMOS 11.6.0+ https://support.f5.com/csp//article/K13285 Make this iRule to be called the last one because of the HTTP::disable priority 700 when CLIENT_ACCEPTED { Enable HTTP processing for all requests by default HTTP::enable } when HTTP_REQUEST { Selectively disable HTTP processing for specific request methods switch [HTTP::method] { "COPY" - "MOVE" { Replace Destination header with http if using SSL Offloading if { [HTTP::header Destination] starts_with "https" } { HTTP::header replace Destination [string map -nocase {https http} [HTTP::header value Destination]] } HTTP::disable } "MKCOL" - "PROPPATCH" { HTTP::disable } } }
- JRahmAdminContributed by deb.