Allow certain Content-Type headers through

Rule 920420 blocks based off certain Content-type header values.  The below rule will allow you to append a certain value to it.  For this example I appended

application/vnd.ms-sync.wbxml for Microsoft ActiveSync.

Please note that the 'setvar' variable needs to be on one line.  When copying from here, it may make those values inside that variable multiple lines.

SecAction \
"id:400001,\
 phase:1,\
 nolog,\
 pass,\
 t:none,\
 setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded|
|multipart/form-data| |multipart/related| |text/xml|
|application/xml| |application/soap+xml| |application/x-amf|
|application/json| |application/cloudevents+json|
|application/cloudevents-batch+json|
|application/octet-stream| |application/csp-report|
|application/xss-auditor-report| |text/plain|
|application/vnd.ms-sync.wbxml|'"
1

5 comments

Avatar

Jean-François Ruel

Hi Nick,

I'm fairly new to the new WAF implementation in Kemp LoadMaster.

I enabled the new WAF on some of our VSs and we do indeed trigger the rule 920420 for ActiveSync.

In your example, do you create a custom rule with it ?

If i understand correctly, this will allow the content type globally.  If we want to allow it only for a specific URL (the one we are using for ActiveSync), we would have to add the section :

REQUEST_URI "@beginsWith URL"

Am i correct ?

Jeff

 
0

Avatar

Nick Smylie

Hi.  Yes you create a custom rule then you have to assign it to the VS in question under the custom rules section.

As for assigning a URL to it, I do not think that will be required honestly.  The content-type header is allowing Active-sync in with this rule.  If users were coming from a device not specified in the above list they will be blocked already.

0

Avatar

Jean-François Ruel

Makes sense.

Your custom rule worked perfectly by the way, thanks !

 

Jeff

0

Avatar

Johanna Majewski

Thank you for the explanation. It is clear for me.

 

 

 

mcdvoice survey

0

Avatar

Judith Talbert

Hi.  

Yes, you must first build a custom rule and then assign it to the relevant VS in the custom rules area.To be honest, I don't think giving it a URL will be necessary.  With this rule, the content-type header permits Active-sync to enter.  Users who were coming from a device not listed in the above list would already have been barred. myfedloan

0

Please to leave a comment.

Didn't find what you were looking for?