« Trinket: Enabling JMX on tomcat on Windows | Main | Do I still need apache httpd? »


BigIP iRule::Disable Trace Method

This article has been superseded by this one. 
No further updates will be made to this article.

A recent vulnerability scan showed a large number of sites that I maintain have the HTTP Trace method enabled. All of my sites are front-ended by an F5 BigIP load-balancer but I have a bunch of different web servers--apache 1.3, apache 2.0, apache 2.2, IIS5, and IIS6 and even some tomcat servers. So, instead of visiting each type of server and applying the relevant scan, I thought it would be pretty interesting to write a rule on the BigIP that would reject any request coming in to a site that utilized the HTTP TRACE method. Below is the rule. Steal it or modify it to your hearts content but if you do modify it to make it even better or more useful, post it in the comments.

set default_pool [LB::server pool]
if { [HTTP::method] equals "TRACE" } {
} else {
pool $default_pool

The "set default_pool" statement sets the pool to whatever the default pool assigned to a particular Virtual IP is set to. The rest is pretty self-explanatory....if the method is TRACE, reject the request, otherwise, do nothing.


TrackBack URL for this entry:

Listed below are links to weblogs that reference BigIP iRule::Disable Trace Method: