Using the LoadMaster to Block Unwanted HTTP Methods

In some cases it may be useful to use the LoadMaster to take a specific action based on the HTTP methods seen in a request. There are a number or reasons why this may be necessary in Application Delivery to achieve the desirable operation of the application.

Content Rules can be used to match on the HTTP Method. In this example, it is desirable to:

  1. Match either of the two methods (RDG_IN_DATA or RDG_OUT_DATA).
  2. Block them from being forwarded to the Real Server by sending an "Invalid Request" response.  

This procedure can be used for any HTTP method to be blocked.

To create a rule to match a specific method, in the LoadMaster Web User Interface (WUI), go to Rules & Checking > Content Rules and click Create New.

This rule example is blocking the RDG_IN_DATA method.
 
 
Similarly, a rule can be created to match RDG_OUT_DATA.
The rules match the method part of the HTTP header.
 
 

In order to block requests based on this match, two SubVSs need to be created. One to handle traffic using these methods (i.e. traffic which matches these rules) and another to handle all other traffic. The first SubVS will never forward traffic to Real Servers but instead will reply with a 501 Not Implemented not available redirect.

 

 

Enable Content Switching by clicking Enable in the Advanced Properties section of the Virtual Service modify screen.

 

 

Rules can be assigned to the SubVS by clicking the None button in the Rules column of the SubVSs section after the SubVSes have been added.

 

The rules assigned to SubVS 1 can match the unwanted methods.

 

Configure Sub VS 1

No Real Servers have been added to SubVS 1 but a 501 Not Implemented "Invalid Request" message is sent to all requests including the methods we wish to block. 

 

 

SubVS 2 will match all other traffic. This is done by assigning the default rule to SubVS 2. This SubVS should be configured with Real Servers for normal traffic.

 

Note: Rules such as the ones above can also be used to pass these requests to a specific Real Server (rather than blocking them). In this case, instead of adding the redirect, add Real Servers to the SubVS.

Was this article helpful?

0 out of 0 found this helpful

Comments