security http profile
security http profile(1) BIG-IP TMSH Manual security http profile(1)
NAME
profile - Configures an HTTP security profile.
MODULE
security http
SYNTAX
Configure the profile component within the security http module using
the syntax shown in the following sections.
CREATE/MODIFY
create profile [name]
modify profile [name]
options:
app-service [[string] | none]
[case-sensitive | case-insensitive]
defaults-from [[name] | none]
description [[string] | none]
evasion-techniques {
options:
alarm [disabled | enabled]
block [disabled | enabled]
}
file-types {
options:
alarm [disabled | enabled]
[allowed | disallowed]
block [disabled | enabled]
values [add | delete | none | replace-all-with] { [string] ... }
}
http-rfc {
options:
alarm [disabled | enabled]
bad-host-header [disabled | enabled]
bad-version [disabled | enabled]
block [disabled | enabled]
body-in-get-head [disabled | enabled]
chunked-with-content-length [disabled | enabled]
content-length-is-positive [disabled | enabled]
header-name-without-value [disabled | enabled]
high-ascii-in-headers [disabled | enabled]
host-header-is-ip [disabled | enabled]
maximum-headers [[integer] | disabled]
null-in-body [disabled | enabled]
null-in-headers [disabled | enabled]
post-with-zero-length [disabled | enabled]
several-content-length [disabled | enabled]
unparsable-content [disabled | enabled]
}
mandatory-headers {
options:
alarm [disabled | enabled]
block [disabled | enabled]
values [add | delete | none | replace-all-with] { [string] ... }
}
maximum-length {
options:
alarm [disabled | enabled]
block [disabled | enabled]
post-data [[integer] | any]
query-string [[integer] | any]
request [[integer] | any]
uri [[integer] | any]
}
methods {
options:
alarm [disabled | enabled]
block [disabled | enabled]
values [add | delete | none | replace-all-with] { [string] ... }
}
response {
options:
body [[string] | none]
headers [[new line separated headers] | none]
type [custom | default | redirect | soap-fault]
url [[string] | none]
}
edit profile [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list profile
list profile [ [ [name] | [glob] | [regex] ] ... ]
show running-config profile
show running-config profile [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
recursive
DELETE
delete profile [name]
DESCRIPTION
You can use the profile component to create, modify, display, or delete
an HTTP security profile for use with HTTP Protocol Security
functionality.
EXAMPLES
create http my_http_profile defaults-from http_security
Creates a custom HTTP security named my_http_profile that inherits its
settings from the system default HTTP security profile.
list profile
Displays the properties of all HTTP security profiles.
OPTIONS
app-service
Specifies the name of the application service to which the profile
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the profile. Only the application
service can modify or delete the profile.
[case-sensitive | case-insensitive]
Specifies whether the security profile treats file types as case
sensitive, or not. The default value is case-sensitive. Note: If
you create a profile, you can use either property, thereafter it
becomes read only. If the security profile is case insensitive,
the system stores file types in lowercase in the security profile
configuration.
defaults-from
Specifies the profile that you want to use as the parent profile.
Your new profile inherits all settings and values from the parent
profile specified. The default value is none.
description
User defined description.
evasion-techniques
Specifies what action the system takes when it detects an evasion
technique. Evasion techniques are methods used by attackers to
avoid detection of their attack. You can configure the following
options for evasion technique checks:
alarm
Specifies, when enabled, that the system logs the request
data and displays it in the Protocol Security Statistics
screen whenever the system detects an evasion technique. The
default value is enabled.
block
Specifies, when enabled, that the system stops requests
whenever the system detects an evasion technique. The default
value is disabled.
file-types
Specifies which file types the security profile considers legal,
and specifies what action the system takes when it detects a
request for an illegal file type. You can configure the following
options for file types:
alarm
Specifies, when enabled, that the system logs the request
data and displays it on the Protocol Security Statistics
screen whenever the system detects a request for an illegal
file type. The default value is enabled.
[allowed | disallowed]
Indicates whether the values property lists file types that
the security profile permits or prohibits. Note: For each
security profile you may define either allowed file types or
disallowed file types.
block
Specifies, when enabled, that the system stops requests for
an illegal file type. The default value is disabled.
values
Adds, deletes, or replaces a set of file types considered
either legal or illegal by the security profile. You can
either select an available file-type or add a new one.
glob Displays the items that match the glob expression. See help glob
for a description of glob expression syntax.
http-rfc
Specifies which validations the system should check and what
action the system takes when it detects a request that is not
formatted properly. You can configure the following options for
HTTP protocol checks:
alarm
Specifies, when enabled, that the system logs the request
data and displays it in the Protocol Security Statistics
screen whenever a request fails one of the enabled HTTP
protocol checks. The default value is enabled.
bad-host-header
Specifies, when enabled, that the system inspects requests to
see whether they contain a non RFC compliant header value.
The default value is enabled.
bad-version
Specifies, when enabled, that the system inspects requests to
see whether they request information from a client using an
HTTP protocol version 1.0 or higher. The default value is
enabled.
block
Specifies, when enabled, that the system stops requests
whenever the system detects an evasion technique. The default
value is disabled.
body-in-get-head
Specifies, when enabled, that the system examines requests
that use the HEAD or GET methods to see whether the requests
contain data in their bodies, which is considered illegal.
The default value is disabled.
chunked-with-content-length
Specifies, when enabled, that the system examines chunked
requests for a content-length header, which is not permitted.
The default value is enabled.
content-length-is-positive
Specifies, when enabled, that the system examines requests to
see whether their content length value is greater than zero.
The default value is enabled.
header-name-without-value
Specifies, when enabled, that the system checks requests for
valueless header names, which are considered illegal. The
default value is enabled.
high-ascii-in-headers
Specifies, when enabled, that the system inspects request
headers for ASCII characters greater than 127, which are not
permitted. The default value is disabled.
host-header-is-ip
Specifies, when enabled, that the system verifies that the
requestaXXs host header value is not an IP address. The
default value is disabled.
maximum-headers
Specifies whether the system compares the number of headers
in the requests against the maximum number, and if so, how
many headers are allowed. The default value is a maximum of
20 headers.
null-in-body
Specifies, when enabled, that the system inspects request
bodies to see whether they contain a Null character, which is
not allowed. The default value is disabled.
null-in-headers
Specifies, when enabled, that the system inspects request
headers to see whether they contain a Null character, which
is not allowed. The default value is enabled.
post-with-zero-length
Specifies, when enabled, that the system examines POST method
requests for no content-length header, and for a content
length of 0. The default value is disabled.
several-content-length
Specifies, when enabled, that the system examines each
request to see whether it has more than one content-length
header, which is considered illegal. The default value is
enabled.
unparsable-content
Specifies, when enabled, that the system examines requests
for content that the system cannot parse, which is not
permitted. The default value is enabled.
mandatory-headers
Specifies which headers must appear in requests, and specifies
what action the system takes when it detects a request without a
mandatory header. You can configure the following options for
mandatory headers:
alarm
Specifies, when enabled, that the system logs the request
data and displays it on the Protocol Security Statistics
screen whenever a request does not include a mandatory
header. The default value is enabled.
block
Specifies, when enabled, that the system stops requests that
do not include a mandatory header. The default value is
disabled.
values
Adds, deletes, or replaces a set of headers that must appear
in requests to be considered legal by the security profile.
You can either select an available mandatory-header or add a
new one. Note: The system stores mandatory headers in
lowercase in the security profile configuration, regardless
of whether it is case sensitive or not.
maximum-length
Specifies the default maximum length settings that the security
profile considers legal, and specifies what action the system
should take when it detects a request using an illegal length. You
can configure the following options for length checks:
alarm
Specifies, when enabled, that the system logs the request
data and displays it on the Protocol Security Statistics
screen whenever a request fails one of the length checks. The
default value is enabled.
block
Specifies, when enabled, that the system stops requests that
fail one of the length checks. The default value is disabled.
post-data
Indicates whether there is a maximum acceptable length, in
bytes, for the POST data portion of a request, and if so,
specifies it. The default value is any (no restriction).
query-string
Indicates whether there is a maximum acceptable length, in
bytes, for the query string portion of a request, and if so,
specifies it. The default value is 1024 bytes.
request
Indicates whether there is a maximum acceptable length, in
bytes, of a request, and if so, specifies it. The default
value is any (no restriction).
uri Indicates whether there is a maximum acceptable length, in
bytes, for a URL, and if so, specifies it. The default value
is 1024 bytes.
methods
Specifies which HTTP methods the security profile considers legal,
and specifies what action the system takes when it detects a
request using an illegal method. You can configure the following
options for methods:
alarm
Specifies, when enabled, that the system logs the request
data and displays it on the Protocol Security Statistics
screen whenever a request uses an illegal method. The default
value is enabled.
block
Specifies, when enabled, that the system stops requests that
use an illegal method. The default value is disabled.
values
Adds, deletes, or replaces a set of HTTP methods considered
legal by the security profile. You can either select an
available asm http-method or add a new one. Note: HTTP
methods are case sensitive even if the security profile is
case insensitive.
name Specifies a unique name for the component. This option is required
for the commands create, delete, and modify.
partition
Displays the administrative partition within which the component
resides.
regex
Displays the items that match the regular expression. The regular
expression must be preceded by an at sign (@[regular expression])
to indicate that the identifier is a regular expression. See help
regex for a description of regular expression syntax.
response
Specifies information to display when the security profile blocks
a client request. You can configure the following options for
blocking page:
body Specifies the HTML code the system sends to the client in
response to an illegal blocked request. Only if the response
type is custom, you can edit this text.
headers
Specifies the set of response headers that the system sends
to the client in response to an illegal blocked request. Only
if the response type is custom, you can edit this text.
Separate each header with a new line (Ctrl-V followed by
Ctrl-J).
type Specifies which content, or URL, the system sends to the
client in response to an illegal blocked request.
custom
Specifies a modified response text. You can edit the
response header and HTML code in the properties headers
and body.
default
Specifies the system-supplied response text written in
HTML. You cannot edit that text. This is the default
value.
redirect
Specifies that the system redirects the user to a
specific web page instead of viewing a blocking page.
You can edit the redirect web page in the url property.
soap-fault
Specifies the system-supplied response written in SOAP
fault message structure. You cannot edit that text. Use
this type when a SOAP request is blocked due to an XML
related violation.
url Specifies the particular URL to which the system redirects
the user. Only if the response type is redirect, you can edit
this text. The web page should include a full URL path, for
example, http://www.myredirectpage.com.
SEE ALSO
asm http-method, create, delete, edit, glob, list, ltm virtual, modify,
regex, security, security http, security http file-type, security http
mandatory-header, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2009-2013. All rights reserved.
BIG-IP 2013-06-13 security http profile(1)