« Trinket: Enabling JMX on tomcat on Windows | Main | Where is Safari 3 for Windows? »

02/24/2008

BigIP iRule::Disable Trace Method

This article has been superseded by this one. 
No further updates will be made to this article.


A recent vulnerability scan showed a large number of sites that I maintain have the HTTP Trace method enabled. All of my sites are front-ended by an F5 BigIP load-balancer but I have a bunch of different web servers--apache 1.3, apache 2.0, apache 2.2, IIS5, and IIS6 and even some tomcat servers. So, instead of visiting each type of server and applying the relevant scan, I thought it would be pretty interesting to write a rule on the BigIP that would reject any request coming in to a site that utilized the HTTP TRACE method. Below is the rule. Steal it or modify it to your hearts content but if you do modify it to make it even better or more useful, post it in the comments.

when HTTP_REQUEST {
set default_pool [LB::server pool]
if { [HTTP::method] equals "TRACE" } {
reject
} else {
pool $default_pool
}
}

The "set default_pool" statement sets the pool to whatever the default pool assigned to a particular Virtual IP is set to. The rest is pretty self-explanatory....if the method is TRACE, reject the request, otherwise, do nothing.

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01156fbc6fe6970c011572288035970b

Listed below are links to weblogs that reference BigIP iRule::Disable Trace Method:

Comments