AltocumulusI would like an iRule that drops an HTTP POST if it contains a certain string. I think I can do something like the following, but not sure what statement to use to perform the actual dropping of the packet.
when HTTP_REQUEST {
if { ( [string tolower [HTTP::uri]] contains "foo" ) and ( [HTTP::method] equals "POST" ) } {
# Some logic to drop this traffic
log local0. "HTTP POST contained string foo"
}
}
MVPDo you mean to block specific string in URI or block specific word during HTTP POST. If it's 2nd requirement, please refer below.
https://devcentral.f5.com/s/question/0D51T00006i7hpJSAQ/irule-to-block-requests-with-specific-word
Mayur
AltocumulusHi Mayur,
Thanks for your reply. I mean, to drop it if the HTTP POST contains the string (not the URI itself). Thanks, that link was helpful.
AltocumulusI am trying to solve the same problem as the OP that Mayur pointed me to (which I just noticed even has the same exact problem string).
https://devcentral.f5.com/s/question/0D51T00006i7hpJSAQ/irule-to-block-requests-with-specific-word
I am wondering about the consequence of not limiting the Content-Length of the HTTP POST. When I use the limit, some users are unable to POST images. I could make the Content-Length limit larger, but what if I do not impose a limit at all? Is it vulnerable to DoS? For instance, I imagine TMM must store and parse the HTTP payload of every HTTP POST for a string. It seems possible to get many relatively large payloads in a short time. I don't know what the processor or memory constraints are (relative to a given iRule on a given virtual server). Is it dynamically allocated from a global resource pool to individual instances as needed, or does each individual virtual server or each iRule's TMM thread have predefined resource allocation (I/O and mem).