LTM Policy is the powerful and performant replacement to the HTTP Class, and first appeared in Big IP 11.4.0.   This is intended to be a short article showing some practical recipes using LTM Policy.  Please also check out another article with a more complete overview of LTM Policy.

While there are iRules which can be used to address each of the following scenarios, LTM Policy is a particularly good tool when it comes to inspecting and modifying HTTP-specific quantities like URIs, headers, and cookies.

Preventing the Nimda worm

Task Configuration

If the URL contains certain strings known to be associated with Nimda, then use a forwarding action to reset the connection.

Demonstrates matching on URI and terminating a connection.

nimda-rules

ltm policy /Common/nimbda-be-gone {
    controls { forwarding }
    requires { http }
    rules {
        rule-1 {
            actions {
                0 {
                    forward reset
                }
            }
            conditions {
                0 {
                    http-uri contains values { root.exe admin.dll cmd.exe }
                }
            }
            ordinal 1
        }
    }
    strategy /Common/first-match
}

 

Preventing spoofing of X-Forwarded-For

Task Configuration

Bad actors may try to work around security by falsifying the IP address in a header and trying to pass it through the Big IP.  Replace X-Forwarded-For header in the request, if any, with the actual client IP address.

Demonstrates header replacement, case-insensitive comparisons of HTTP headers, use of Tcl expressions to access internal state.

xff

ltm policy /Common/xff {
    requires { http }
    rules {
        "remove existing" {
            actions {
                0 {
                    http-header replace
                    name X-foRWardED-for
                    value tcl:[IP::client_addr]
                }
            }
            ordinal 2
        }
    }
    strategy /Common/first-match
}

 

Mitigating Shellshock

Task Configuration

Shellshock refers to a class of exploits that take advantage of the bash shell via a specifically-crafted URL.  Here is a policy which looks for the pattern "() {" in the URI .  It is rare that this pattern of characters will occur in a URI so false-positives should be rare.

shellshock

 

ltm policy /Common/shellshock {
    controls { forwarding }
    requires { http }
    rules {
        rule-1 {
            actions {
                0 {
                    log write
                    message "tcl:Shellshock detected from [IP::client_addr], blocked"
                }
                1 {
                    forward reset
                }
            }
            conditions {
                0 {
                    http-uri contains values { "() {" }
                }
            }
            ordinal 1
        }
    }
    strategy /Common/first-match
}

 

Selective compression

Task Configuration

Certain types of content are good candidates for compression.  For example, transfers of common text types like HTML, XML, and CSS stylesheets can show improved transfer time – especially across slow links – by compressing it.

Here is a policy which demonstrates selective compression based on the Content-type, taking into account system load average.  All text-type responses will be compressed, but if the 1 minute load average climbs above 5, then compression will not be enabled to save CPU resources.

 

selective_compression

 

ltm policy /Common/blanket {
    controls { compression }
    requires { http }
    rules {
        rule-1 {
            conditions {
                0 {
                    http-header response
                    name Content-type
                    starts-with
                    values { text/ }
                }
                1 {
                    cpu-usage response last-1min
                    less-or-equal
                    values { 5 }
                }
            }
            actions {
                0 {
                    compress response enable
                }
            }
            ordinal 1
        }
    }
    strategy /Common/first-match
}