Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Block TRACE, PUT, DELETE and OPTIONS HTTP methods

 

Information

 

Summary:

How to remove TRACE, PUT, DELETE, and OPTIONS HTTP methods.

Environment:

Product: LoadMaster.

Version: Any.

Platform: Any.

Application: Any.

Question/Problem Description:

We want the LoadMaster to block TRACE, PUT, OPTIONS and DELETE HTTP methods for a VIP and only allow HEAD, POST, and GET HTTP methods.

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause: We want to block insecure HTTP methods
Resolution:
  • We'd need two SubVS's to achieve this, one to allow GET, POST, and HEAD and another to deny any other HTTP Method such as DELETE, PUT, OPTIONS, and TRACE.
  • We create the SubVS's by going to Modify on the Virtual Service > Real Servers (if any servers are added, these need to be deleted to be able to add SubVS's) > Add SubVS ...
  • Then, we create a content rule using method as the header field and the actual methods as the match string as shown below:

Rule Name: allowed_METHODS

Rule Type: Content Matching

Match Type: Regular Expression

Header Field: method

Match string: /GET|POST|HEAD/

  • Then, we go to the VIP > Advanced Properties > Enable Content Switching and add the rules we just created under SubVS > rules to the SubVS that will have the Real Servers. The second SubVS will be assigned with the default rule to catch any other HTTP method.
  • One the SubVS with the default rule, we go to Advanced Properties > Error Code > Set to 401 Unathorized. The logic is that if a method other than GET, POST, or HEAD is sent to the VIP, a 401 HTTP response will be returned.

This can be tested with the following command:

curl -X PUT https://<FQDN> -d "TEST"

curl -X DELETE https://<FQDN>

NOTE: TRACE is not accepted by the LM and we return a 501.

2022-07-05T15:26:29+00:00 aalcantara-HA1 kernel: L7: ffff888072ed7040: Parse_http_header: Invalid method TRACE
2022-07-05T15:26:29+00:00 aalcantara-HA1 kernel: L7: badrequest-select_conn [10.0.16.204:61328->10.1.116.200:80] (-501): TRACE ? , 0 [hlen 146, nhdrs 5]
2022-07-05T15:26:29+00:00 aalcantara-HA1 kernel: L7: ffff888072ed7040: Send error(-501) HTTP/1.1 501 Invalid Request 
Workaround:  
Notes:

https://support.kemptechnologies.com/hc/en-us/articles/5143451528077-Content-Rules


Comments