Disabling HTTP Processing For Unrecognized HTTP Methods

Problem this snippet solves:

The iRule below disables HTTP processing for requests using HTTP methods that are not recognized by the BIG-IP HTTP profile. For example, Web-based Distributed Authoring and Versioning (WebDAV) uses the following extended HTTP methods: PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK. Requests using one of these methods may provoke the behavior described in AskF5 SOL7581: https://support.f5.com/kb/en-us/solutions/public/7000/500/sol7581.html?sr=2105288 Unrecognized HTTP methods without a specified content-length or chunking header can cause the connection to stall . Use of these or other methods not described in RFC2616 (HTTP/1.1) may require an iRule similar to the following associated with the virtual server which disables further HTTP processing when they are seen.

How to use this snippet:

Note: You may have to disable the "HTTP::enable" command with a comment if using the iRule on an APM protected virtual service.

Code :

when CLIENT_ACCEPTED {
   # Enable HTTP processing for all requests by default
   HTTP::enable
}
when HTTP_REQUEST {
   # selectively disable HTTP processing for specific request methods
   switch [HTTP::method] {
      "MOVE" -
      "COPY" -
      "LOCK" -
      "UNLOCK" -
      "PROPFIND" -
      "PROPPATCH" -
      "MKCOL" { HTTP::disable }
   }
}
Published Jan 30, 2015
Version 1.0
  • How can we disable HTTP HEAD method as per PCI compliance

  • OPTIONS should be added to the switch statement:

    The Linked DevCentral Article needs to be updated to include 'OPTIONS' HTTP Request Method.

    when HTTP_REQUEST {
        selectively disable HTTP processing for specific request methods
       switch [HTTP::method] {
          "MOVE" -
          "COPY" -
          "LOCK" -
          "UNLOCK" -
          "OPTIONS" -
          "PROPFIND" -
          "PROPPATCH" -
          "MKCOL" { HTTP::disable }
       }
    }
    
  • Using this iRule has one limitation for IIS servers acting as a WebDAV distribution point with SSL Offloading on BIG-IP enabled. When SSL Offloading on BIG-IP is enabled and client uses COPY/MOVE method there is a header with name "Destination" that starts with https (because client is connecting to WebDAV with SSL). IIS does not recognises that destination because servers are running as HTTP and expecting http appended string in "Destination" header

    Here are my fixed iRule:

     Works for TMOS 11.6.0+
     https://support.f5.com/csp//article/K13285
    
     Make this iRule to be called the last one because of the HTTP::disable
    priority 700
    
    when CLIENT_ACCEPTED
    {
         Enable HTTP processing for all requests by default
        HTTP::enable
    }
    
    when HTTP_REQUEST
    {
         Selectively disable HTTP processing for specific request methods
        switch [HTTP::method]
        {
            "COPY" -
            "MOVE"
            {
                 Replace Destination header with http if using SSL Offloading
                if { [HTTP::header Destination] starts_with "https" }
                {
                    HTTP::header replace Destination [string map -nocase {https http} [HTTP::header value Destination]]
                }
    
                HTTP::disable
            }
            "MKCOL" -
            "PROPPATCH"
            {
                HTTP::disable
            }
       }
    }