This ugly vulnerability, first discovered 15 years ago, has reared it’s head, AGAIN.  Visit https://httpoxy.org/ for more details on this vulnerability.

Luckily, it is a quick and easy mitigation if that traffic is visible to the F5.  Here are two quick fixes.

DISCLAIMER:  Please make sure you understand the scope of your change before making either of the suggested changes below.  These will very likely NOT cause any issues.
From the HTTPOxy.org site:
"The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. This is easy and safe.
It’s safe because the Proxy header is undefined by the IETF, and isn’t listed on the IANA’s registry of message headers. This means there is no standard use for the header at all; not even a provisional use-case."

 

OPTION 1:  Add “Proxy” to the Request Header Erase field in the HTTP profile:


OPTION 2:  Use this simple iRule to remove the header in requests:

when HTTP_REQUEST {
  if { [HTTP::header exists "Proxy"] }{
    HTTP::header remove "Proxy"
  }
}

Additionally, if you are running F5's Web Application Firewall, ASM, you can configure a custom violation and write an irule to "raise" that violation so that you have visibility into this vulnerability from within your ASM logs.  Here are the steps for version 12.x (some of these options are in a different place in the GUI in earlier versions):

1. Create a new violation under Security  ››  Options : Application Security : Advanced Configuration : Violations List


2. Create the following irule and associate it to the virtual(s) in question:


when ASM_REQUEST_DONE {
  # See if the Proxy header exists
  if { [HTTP::header exists "Proxy"] }{
    #Proxy header exists so let's save it's value to log in the violation details
    set proxy_val [HTTP::header value "Proxy"]
    #Remove the Proxy header.  A good  idea whether the policy or violation is in blocking mode or not.
    HTTP::header remove "Proxy"
    #Raise the ASM violation including the value of the Proxy header.  "HTTPoxy" must match custom violation name exactly.
    ASM::raise HTTPoxy $proxy_val
  }
}

 

3. Make sure to enable that custom violation on the policy(s) in question.  In 12.x this is under Security  ››  Application Security : Policy Building : Learning and Blocking Settings:
 

 

-Joe Martin

Security Specialist Engineer

F5 Networks