cancel
Showing results for 
Search instead for 
Did you mean: 
Deb_Allen_18
Historic F5 Account

Problem this snippet solves:

The iRule below disables HTTP processing for requests using HTTP methods that are not recognized by the BIG-IP HTTP profile. For example, Web-based Distributed Authoring and Versioning (WebDAV) uses the following extended HTTP methods: PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK. Requests using one of these methods may provoke the behavior described in AskF5 SOL7581: https://support.f5.com/kb/en-us/solutions/public/7000/500/sol7581.html?sr=2105288 Unrecognized HTTP methods without a specified content-length or chunking header can cause the connection to stall . Use of these or other methods not described in RFC2616 (HTTP/1.1) may require an iRule similar to the following associated with the virtual server which disables further HTTP processing when they are seen.

How to use this snippet:

Note: You may have to disable the "HTTP::enable" command with a comment if using the iRule on an APM protected virtual service.

Code :

when CLIENT_ACCEPTED {
   # Enable HTTP processing for all requests by default
   HTTP::enable
}
when HTTP_REQUEST {
   # selectively disable HTTP processing for specific request methods
   switch [HTTP::method] {
      "MOVE" -
      "COPY" -
      "LOCK" -
      "UNLOCK" -
      "PROPFIND" -
      "PROPPATCH" -
      "MKCOL" { HTTP::disable }
   }
}
Comments
JRahm
Community Manager
Community Manager
Contributed by deb.
akhmarov
Altostratus
Altostratus

Using this iRule has one limitation for IIS servers acting as a WebDAV distribution point with SSL Offloading on BIG-IP enabled. When SSL Offloading on BIG-IP is enabled and client uses COPY/MOVE method there is a header with name "Destination" that starts with https (because client is connecting to WebDAV with SSL). IIS does not recognises that destination because servers are running as HTTP and expecting http appended string in "Destination" header

 

Here are my fixed iRule:

 

Works for TMOS 11.6.0+ https://support.f5.com/csp//article/K13285 Make this iRule to be called the last one because of the HTTP::disable priority 700 when CLIENT_ACCEPTED { Enable HTTP processing for all requests by default HTTP::enable } when HTTP_REQUEST { Selectively disable HTTP processing for specific request methods switch [HTTP::method] { "COPY" - "MOVE" { Replace Destination header with http if using SSL Offloading if { [HTTP::header Destination] starts_with "https" } { HTTP::header replace Destination [string map -nocase {https http} [HTTP::header value Destination]] } HTTP::disable } "MKCOL" - "PROPPATCH" { HTTP::disable } } }
Jason_Adams
F5 Employee
F5 Employee

OPTIONS should be added to the switch statement:

 

The Linked DevCentral Article needs to be updated to include 'OPTIONS' HTTP Request Method.

 

when HTTP_REQUEST { selectively disable HTTP processing for specific request methods switch [HTTP::method] { "MOVE" - "COPY" - "LOCK" - "UNLOCK" - "OPTIONS" - "PROPFIND" - "PROPPATCH" - "MKCOL" { HTTP::disable } } }
Roy_Jee
Nimbostratus
Nimbostratus

How can we disable HTTP HEAD method as per PCI compliance

Version history
Last update:
‎30-Jan-2015 04:38
Updated by:
Contributors