Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Custom ASM block for HTTP methods

Hi,

I want to block all HTTP methods except GET using ASM. I amk using below irule for blocking and raise ASM violation but somehow irule execution is getting failed while testing with HTTP method POST. I'm unable to find the reason for this failure. Can somebody help please?

when HTTP_REQUEST {
    set reqBlock 0
    if { ( [HTTP::method] equals "GET" ) } {
        return
    } else {
        set reqBlock 1
    }
}   
when ASM_REQUEST_DONE {

  if { $reqBlock == 1} {
    ASM::raise VIOLATION_FORBIDDEN_GET_PATH
  }
}
0
Rate this Question
Comments on this Question
Comment made 27-Jul-2016 by boneyard 5576

how does it fail? what error do you get? there is an ASM policy on the virtual server right?

0
Comment made 27-Jul-2016 by Yoann Le Corvic 79

Hi

You should not need an iRule for this one...

Check out Security > Application Security > Headers > Methods

Sincerely

0
Comment made 27-Jul-2016 by Jinshu 1335

Hi Yoann, We cant modify the default GET and POST from there...

0
Comment made 27-Jul-2016 by Yoann Le Corvic 79

Hi

When I see the irule I am not sure why the policy setting is not enough... But anyhow, have you also checked the box "Trigger ASM iRule Events" in the policy settings ?

Yoann

0
Comment made 27-Jul-2016 by Jinshu 1335

Yes. I have solved the issue. It was the custom violation causing the issue. I have modified it and it worked.

Thank you.

1

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Looks like a mashup of my custom violation iRule. Tehcnically, it should work - maybe you have cache of previous results (webacceleration profile)?

This should do the trick in v11.x

when HTTP_REQUEST {
  set reqBlock 0
  if { not ( [HTTP::method] eq "GET" ) } {
    set reqBlock 1
  }
}   
when ASM_REQUEST_DONE {
  if { $reqBlock == 1} {
    ASM::raise VIOLATION_FORBIDDEN_METHOD
  }
}

Also note that if you can upgrade to v12.1, you will get a better built-in control over allowed http methods per URL (also works with wildcard URLs):

https://support.f5.com/kb/en-us/products/big-ip_asm/releasenotes/product/relnote-asm-12-1-0.html

Enforcing a method on a URL
You can define a list of allowed and disallowed methods, for each URL, that will override the list defined on the security policy level.

0
Comments on this Answer
Comment made 27-Jul-2016 by boneyard 5576

i get this error on 12.1 with a direct copy paste of your iRule Hannes

Jul 27 13:43:24 bigip-01 err tmm[21016]: 01480002:3: Command failed.
Jul 27 13:43:24 bigip-01 err tmm[21016]: 01220001:3: TCL error: /Common/irule-ASM-raise <ASM_REQUEST_DONE> - plugin_tcl_command_execute: Command error.     invokd from within "ASM::raise VIOLATION_FORBIDDEN_METHOD"

which was caused because i didn't have it configured as a user-definded violation under Security ›› Options : Application Security : Advanced Configuration : Violations List

solved, sorry.

1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

I have found the issue. It was the custom violation causing the issue. I have modified it and it worked like a champ.

btw, I'm using 11.5 version.

Thanks guys for your help.

-Jinshu

0