Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Help with iRule to delete an empty name header or allow HTTP malformed header

Ivan_383
Nimbostratus
Nimbostratus

‎18-Feb-2021 14:44

Hello guys, I hope you can help me, the scenario is the next, we are replacing an Brocade ADX with an F5 BIGIP, the scenario is like this:

 

nowadays it exist Client - > PROXY security solution - > BROCADE ADX - > REAL SERVER

 

What we want is Client - > PROXY security solution - > F5 BIGIP - > REAL SERVER

 

But here what is happening is, when te request comes from the PROXY it comes with some aditiona headers, within that headers it comes an empty name header, I mean it is a header without a name, the header comes just in this way ":"

 

  Sec-Fetch-Mode: navigate\r\n

  Sec-Fetch-User: ?1\r\n

  Sec-Fetch-Dest: document\r\n

  Accept-Encoding: gzip, br\r\n

  Accept-Language: es-MX,es;q=0.9\r\n

  Cookie: ZNPCQ003-39303200=cdf1c4c0; BIGipServertest_HTTP_Pool=rd1o00000000000000000000ffffac158091o80\r\n

    Cookie pair: ZNPCQ003-39303200=cdf1c4c0

    Cookie pair: BIGipServertest_HTTP_Pool=rd1o00000000000000000000ffffac158091o80

  Roles: \r\n

  : \r\n <<<--------------------------------------------------------------------------------------------------------------------THIS IS THE EMPTY HEADER

    [Expert Info (Warning/Protocol): Illegal characters found in header name]

  IdCOMPANY: \r\n

  isSecondary: \r\n

  Telephones: \r\n

  ListCompanyNameTelephone: \r\n

  email: \r\n

  mobilePhone: \r\n

  Lastname: \r\n

  Name: \r\n

  LoginType: \r\n

  password: \r\n

  logon: \r\n

  Via: 1.1 shop.company.com (Access Gateway-ag-728CFCD9FF22A8B6-162297052)\r\n

  X-Forwarded-Host: shop.company.com\r\n

 

Then when the F5 receives that empty header it resets the connection as follows: Malformed HTTP header error, after TMOS 12 the F5 doesn't allow malformed http headers: https://support.f5.com/csp/article/K38905534.

 

I tried to erase that header with some irules but it was vain:

 

1 )

 

when HTTP_REQUEST {

 

  HTTP::header remove ":"

 

}

 

 

2)

when HTTP_REQUEST {

if { [HTTP::header exists ":"] } {

 

set VALUE [HTTP::header ":"]

HTTP::header remove ":"

 

log local0. "Empty header value is$VALUE"

}

}

 

And some more irules unsuccesfuly, I don´t know if that sentence can't recognized that header because there is not a string to match. I was also thinking to erase it as a string or payload: 3a 20 0d 0a, but it matches with a lot of things.

Have someone experienced a similar behavior previously, unfortunately I can't touch the proxy security solution, even take packet captures within it.

 

Thanks a lot!!!

 

 

Labels:
0 Kudos
3 REPLIES 3

Satoshino
Cirrus
Cirrus

‎19-Feb-2021 03:10 - last edited on ‎04-Jun-2023 21:02 by Fog

Hi Ivan,

Did you try to use header name instead of ":"?

like this:

when HTTP_REQUEST {
    if { [HTTP::header exists "Header name"] } {
        set VALUE [HTTP::header "Header name"]
        HTTP::header remove "Header name"
        log local0. "Empty header value is $VALUE"
        }
    }

Let me know.

Regards

0 Kudos

jaikumar_f5
MVP
MVP

‎19-Feb-2021 06:19 - last edited on ‎24-Mar-2022 01:29 by Fog

 

 ,

 

This will not work, because the request would be blocked, it wont even reach the HTTP REQUEST event. If the malformed/Non RFC Compliant header is on the REQUEST event, it will drop immediately.

If the response coming from the server contains it, it will be dropped by BigIP too.

 

 

I came across this personally to identify Non RFC Compliant header & built an Irule. One has to inspect the payload in the CLIENTSSL_DATA event & do the capture. Try that if it helps.

 

Also there are version in which you can disable the Non RFC Compliant header check enforcement, see if its applicable in your version, but I wouldn't advise to do that as it would bring more risk to your environment.

 

Let us know how it goes.

0 Kudos

Spencer_Aranda
Altocumulus
Altocumulus
In response to jaikumar_f5

‎18-Nov-2022 06:31

Hi

Just a quick question.  I was asked to use the F5 to remove a header name as follows {esbsoapheader}userName

The header value was just fine.  But I was asked to remove {esbsoapheader} from header name  {esbsoapheader}userName

I tried HTTP::header remove "{esbsoapheader}userName"   but it did not work.  I got an error as follows 

TCL error: /Common/ilxpi_demo/ilxir_demo <HTTP_REQUEST> - list element in braces followed by "userName" instead of space while executing "HTTP::header remove "{esbsoapheader}userName""

I'm guessing the header name has invalid characters, ie "{}"  Has anyone encountered something similar?  Is this header name ilegal/malformed? Is there a way I can remove this?

 

Thank you!

 

0 Kudos
Copyright © 2023 Khoros, LLC