In last week’s article in the What is HTTP? series, we covered the basic settings of the HTTP profile. This week, we’ll cover the enforcement parameters available in the profile, again focusing strictly on the reverse proxy mode profile options.
In TMOS version 12.1, the enforcement parameters are as follows (default values shown.)
Allow Truncated Redirect
This is a simple toggle that allows you to choose how BIG-IP handles redirects without the trailing CRLF. By default the redirect will be dropped silently.
Maximum Header Size & Count
The HTTP specification does not dictate the max header size, which in this case is not the size of a single header but the size of the request line and all headers combined, and various servers set their maximums differently. The BIG-IP default is 32k, but Apache is 8k, and depending on version, nginx is 4k-8k, IIS is 8k-16k, and Tomcat is 8k-48k. So if you are fronting any of these servers other than potentially Tomcat on a particular virtual, you can dial down the profile default significantly without impacting the servers. There is a behavior difference, however. Most servers will return a 4xx status code, and I’ve seen 400, 404, and 413 offered up. Don’t you love standards? BIG-IP will simply reset the TCP connection. You can limit individual header sizes in iRules, which has been done in various rules written to provide 0day mitigations in advance of application server patches.
The max header count is simply that. As long as the request is less than 65, all is well.
The pipeline action is another simple toggle that allows or rejects new requests from clients if previous requests have not yet received a response. What is pipelining you ask? Think of a telephone conversation, when you ask a question, or make a comment, and the person on the other end responds. This is the behavior you see without pipelining. Now think of a debate you’ve observed, where one debater lays out a ten-part question. He typically does so all at once. After he has made all his statements or posed all his questions, the other debater will handle those statements and questions in order. This is the behavior you see with pipelining. This pipeline action setting is where the moderator in the debate would step in and allow or refuse the first debater any more statements/questions until the second debater had responded. Lori MacVittie shared this good visual for pipelining behavior in her article on security risks inherent with allowing pipelining (shown below.)
These settings are helpful to eliminate attack vectors to the unknown. If your application is a simple GET/POST application, then there is no need to allow for anything else. By rejecting unknown methods and disabling all other methods from the enabled methods except GET and POST, you reduce your threat landscape to issues the server MAY be exposed to. Managing these settings carefully should mean that you have a tight communicative relationship with your application team, so as the application evolves there aren’t occasions where new methods are introduced without profile adjustments.
These are not enforcement settings, but they wrap up the reverse proxy settings in the HTTP profile so I am including them here.
sFlow is a scalable packet sampling technology that allows you to observe traffic patterns for performance, troubleshooting, billing, and security purposes. The two settings in the HTTP profile are polling interval and sampling rate. The polling interval is the max interval between polls, and the sampling rate is the ratio of packets observed to the samples generated. So for the default of 10 seconds and 1024 packets respectively, there would be two polls within 10 seconds of each other in which the system randomly generates one sample for every 1024 packets observed. You can specify the the sample rate and polling interval here in the profile, or you can accept the default, which inherits the settings specified for HTTP under System->sFlow->Global Settings.
HTTP Strict Transport Security
Strict Transport Security is a security header that instructs the browser to submit every request for that domain via SSL even if the protocol on the URL was returned from the server as HTTP instead of HTTPS. HSTS is one of those settings that began as an iRule (a simple header insertion for client responses) that later became part of the product. You enable HSTS by checking the Mode box. The Maximum Age setting is in seconds and the default is about six months. The Include Subdomains checkbox if enabled will instruct the browser to do the same thing for subdomains, which may or may not be desirable.
Include subdomains can be dangerous! Say you want to enable HSTS on domain test.local because it is SSL-enabled. But you forget that you have an HTTP-only site called suckstobeyou.test.local. If you checked the include subdomains box, then any client that hit that test.local domain will now be unable to get to the subdomain until they clear their browser of this setting, or the max age expires, which at a default of six months, is effectively bricking your own domains! Be careful!