cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

iRule to Block HTTP POST if contains string

spiv
Altocumulus
Altocumulus

I would like an iRule that drops an HTTP POST if it contains a certain string. I think I can do something like the following, but not sure what statement to use to perform the actual dropping of the packet.

 

when HTTP_REQUEST {

   if { ( [string tolower [HTTP::uri]] contains "foo" ) and ( [HTTP::method] equals "POST" ) } {

       # Some logic to drop this traffic

       log local0. "HTTP POST contained string foo"

       }

}

3 REPLIES 3

Do you mean to block specific string in URI or block specific word during HTTP POST. If it's 2nd requirement, please refer below.

 

https://devcentral.f5.com/s/question/0D51T00006i7hpJSAQ/irule-to-block-requests-with-specific-word

 

Mayur

Hi Mayur,

 

Thanks for your reply. I mean, to drop it if the HTTP POST contains the string (not the URI itself). Thanks, that link was helpful.

spiv
Altocumulus
Altocumulus

I am trying to solve the same problem as the OP that Mayur pointed me to (which I just noticed even has the same exact problem string).

 

https://devcentral.f5.com/s/question/0D51T00006i7hpJSAQ/irule-to-block-requests-with-specific-word

 

I am wondering about the consequence of not limiting the Content-Length of the HTTP POST. When I use the limit, some users are unable to POST images. I could make the Content-Length limit larger, but what if I do not impose a limit at all? Is it vulnerable to DoS? For instance, I imagine TMM must store and parse the HTTP payload of every HTTP POST for a string. It seems possible to get many relatively large payloads in a short time. I don't know what the processor or memory constraints are (relative to a given iRule on a given virtual server). Is it dynamically allocated from a global resource pool to individual instances as needed, or does each individual virtual server or each iRule's TMM thread have predefined resource allocation (I/O and mem).