cancel
Showing results for 
Search instead for 
Did you mean: 

Help with iRule to delete an empty name header or allow HTTP malformed header

Ivan_383
Nimbostratus
Nimbostratus

Hello guys, I hope you can help me, the scenario is the next, we are replacing an Brocade ADX with an F5 BIGIP, the scenario is like this:

 

nowadays it exist Client - > PROXY security solution - > BROCADE ADX - > REAL SERVER

 

What we want is Client - > PROXY security solution - > F5 BIGIP - > REAL SERVER

 

But here what is happening is, when te request comes from the PROXY it comes with some aditiona headers, within that headers it comes an empty name header, I mean it is a header without a name, the header comes just in this way ":"

 

  Sec-Fetch-Mode: navigate\r\n

  Sec-Fetch-User: ?1\r\n

  Sec-Fetch-Dest: document\r\n

  Accept-Encoding: gzip, br\r\n

  Accept-Language: es-MX,es;q=0.9\r\n

  Cookie: ZNPCQ003-39303200=cdf1c4c0; BIGipServertest_HTTP_Pool=rd1o00000000000000000000ffffac158091o80\r\n

    Cookie pair: ZNPCQ003-39303200=cdf1c4c0

    Cookie pair: BIGipServertest_HTTP_Pool=rd1o00000000000000000000ffffac158091o80

  Roles: \r\n

  : \r\n <<<--------------------------------------------------------------------------------------------------------------------THIS IS THE EMPTY HEADER

    [Expert Info (Warning/Protocol): Illegal characters found in header name]

  IdCOMPANY: \r\n

  isSecondary: \r\n

  Telephones: \r\n

  ListCompanyNameTelephone: \r\n

  email: \r\n

  mobilePhone: \r\n

  Lastname: \r\n

  Name: \r\n

  LoginType: \r\n

  password: \r\n

  logon: \r\n

  Via: 1.1 shop.company.com (Access Gateway-ag-728CFCD9FF22A8B6-162297052)\r\n

  X-Forwarded-Host: shop.company.com\r\n

 

Then when the F5 receives that empty header it resets the connection as follows: Malformed HTTP header error, after TMOS 12 the F5 doesn't allow malformed http headers: https://support.f5.com/csp/article/K38905534.

 

I tried to erase that header with some irules but it was vain:

 

1 )

 

when HTTP_REQUEST {

 

  HTTP::header remove ":"

 

}

 

 

2)

when HTTP_REQUEST {

if { [HTTP::header exists ":"] } {

 

set VALUE [HTTP::header ":"]

HTTP::header remove ":"

 

log local0. "Empty header value is$VALUE"

}

}

 

And some more irules unsuccesfuly, I don´t know if that sentence can't recognized that header because there is not a string to match. I was also thinking to erase it as a string or payload: 3a 20 0d 0a, but it matches with a lot of things.

Have someone experienced a similar behavior previously, unfortunately I can't touch the proxy security solution, even take packet captures within it.

 

Thanks a lot!!!

 

 

2 REPLIES 2

Satoshino
Cirrus
Cirrus

Hi Ivan,

 

Did you try to use header name instead of ":"?

like this:

when HTTP_REQUEST { if { [HTTP::header exists "Header name"] } { set VALUE [HTTP::header "Header name"] HTTP::header remove "Header name" log local0. "Empty header value is $VALUE" } }

Let me know.

 

Regards

 

 

 

 ,

 

This will not work, because the request would be blocked, it wont even reach the HTTP REQUEST event. If the malformed/Non RFC Compliant header is on the REQUEST event, it will drop immediately.

If the response coming from the server contains it, it will be dropped by BigIP too.

 

 

I came across this personally to identify Non RFC Compliant header & built an Irule. One has to inspect the payload in the CLIENTSSL_DATA event & do the capture. Try that if it helps.

 

Also there are version in which you can disable the Non RFC Compliant header check enforcement, see if its applicable in your version, but I wouldn't advise to do that as it would bring more risk to your environment.

 

Let us know how it goes.