Last updated on: 2024-04-01 03:24:20.
bigip_security_http_profile – Manage security HTTP profiles on a BIG-IP¶
New in version 1.13.0.
Parameters¶
| Parameter | Choices/Defaults | Configuration | Comments | |
|---|---|---|---|---|
|
description
string
|
Specifies descriptive text that identifies security HTTP profile.
|
|||
|
evasion_techniques
dictionary
|
Specifies what action the system takes when it detects an evasion technique.
|
|||
|
alarm
boolean
|
|
When set to
true, the system logs the request data whenever it detects an evasion technique. |
||
|
block
boolean
|
|
When set to
true, the system stops requests whenever it detects an evasion technique. |
||
|
file_type
dictionary
|
Specifies which file types the security profile considers legal, and specifies what action the system takes when it detects a request for an illegal file type.
|
|||
|
alarm
boolean
|
|
When set to
true, the system logs the request data whenever it detects an illegal file type. |
||
|
allowed
list
/ elements=string
|
Specifies a list of file types that are allowed by the system.
When defined, all but the file types in the
allowed list are considered illegal.This parameter is mutually exclusive with
disallowed. |
|||
|
block
boolean
|
|
When set to
true, the system stops requests whenever it detects an illegal file type. |
||
|
disallowed
list
/ elements=string
|
Specifies a list of file types that are disallowed by the system.
When defined, only file types found in the disallowed list are considered illegal.
This parameter is mutually exclusive with
allowed. |
|||
|
header
dictionary
|
Specifies which headers must appear in requests, and specifies what action the system takes when it detects a request without a mandatory header.
|
|||
|
alarm
boolean
|
|
When set to
true, the system logs the request data whenever a request does not include a mandatory header. |
||
|
block
boolean
|
|
When set to
true, the system stops requests that do not include a mandatory header. |
||
|
mandatory_headers
list
/ elements=string
|
Lists the headers that must appear in requests to be considered legal by the security profile.
|
|||
|
http_protocol_checks
dictionary
|
Specifies which validations the system should check and what action the system takes when it detects a request that is not formatted properly.
|
|||
|
alarm
boolean
|
|
When set to
true, the system logs the request data whenever a request fails one of the enabled HTTP protocol checks. |
||
|
bad_host_header
boolean
|
|
When set to
true, the system inspects requests to see whether they contain a non RFC compliant header value. |
||
|
bad_version
boolean
|
|
When set to
true, the system inspects requests to see whether they request information from a client using a legal HTTP protocol version number 0.9 or higher. |
||
|
block
boolean
|
|
When set to
true, the system stops requests that fail one of the enabled HTTP protocol checks. |
||
|
body_in_get_head
boolean
|
|
When set to
true, the system examines requests that use the HEAD or GET methods to see whether the requests contain data in their bodies, which is considered illegal. |
||
|
chunked_with_content_length
boolean
|
|
When set to
true, the system examines chunked requests for a content-length header, which is not permitted. |
||
|
content_length_is_positive
boolean
|
|
When set to
true, the system examines requests to see whether their content length value is greater than zero. |
||
|
header_name_without_value
boolean
|
|
When set to
true, the system checks requests for valueless header names, which are considered illegal. |
||
|
high_ascii_in_headers
boolean
|
|
When set to
true, the system inspects request headers for ASCII characters greater than 127, which are not permitted. |
||
|
host_header_is_ip
boolean
|
|
When set to
true, the system verifies the request's host header value is not an IP address. |
||
|
maximum_headers
integer
|
When set, the system compares the number of headers in the requests against the number specified here.
The valid value range is 1 -150.
|
|||
|
null_in_body
boolean
|
|
When set to
true, the system inspects the request body to see whether it contains a Null character, which is not allowed. |
||
|
null_in_headers
boolean
|
|
When set to
true, the system inspects request headers to see whether they contain a Null character, which is not allowed. |
||
|
post_with_zero_length
boolean
|
|
When set to
true, the system examines POST method requests for no content-length header, and for a content length of 0. |
||
|
several_content_length
boolean
|
|
When set to
true, the system examines each request to see whether it has more than one content-length header, which is considered illegal. |
||
|
unparsable_content
boolean
|
|
When set to
true, the system examines requests for content the system cannot parse, which is not permitted. |
||
|
length
dictionary
|
Specifies the default maximum length settings the security profile considers legal, and specifies what action the system should take when it detects a request using an illegal length.
|
|||
|
alarm
boolean
|
|
When set to
true, the system logs the request data whenever a request fails one of the length checks. |
||
|
block
boolean
|
|
When set to
true, the system stops requests that fail one of the length checks. |
||
|
post_data
integer
|
Indicates whether there is a maximum acceptable length, in bytes, for the POST data portion of a request.
To specify no length restriction, type
0. |
|||
|
query_string
integer
|
Indicates whether there is a maximum acceptable length, in bytes, for the query string portion of a request, and if so, specifies it.
To specify no length restriction, type
0. |
|||
|
request
integer
|
Indicates whether there is a maximum acceptable length, in bytes, of a request, and if so, specifies it.
To specify no length restriction, type
0. |
|||
|
uri
integer
|
Indicates whether there is a maximum acceptable length, in bytes, for a URL, and if so, specifies it.
To specify no length restriction, type
0. |
|||
|
method
dictionary
|
Specifies which HTTP methods the security profile considers legal, and specifies what action the system takes when it detects a request using an illegal method.
|
|||
|
alarm
boolean
|
|
When set to
true, the system logs the request data whenever a request uses an illegal method. |
||
|
allowed_methods
list
/ elements=string
|
Lists the HTTP methods considered legal by the security profile.
|
|||
|
block
boolean
|
|
When set to
true, the system stops requests that use an illegal method. |
||
|
name
string
/ required
|
Specifies the name of the security HTTP profile to manage.
|
|||
|
parent
string
|
Specifies the profile from which this profile inherits settings.
When creating a new profile, if this parameter is not specified, the default is the system-supplied
http_security profile.Once the parent profile is set it cannot be changed.
|
|||
|
partition
string
|
Default: "Common"
|
Device partition to manage resources on.
|
||
|
response
dictionary
|
Configures the information to display when the security profile blocks a client request.
|
|||
|
body
string
|
Specifies the HTML code the system sends to the client in response to an illegal blocked request.
This parameter is required when
type is custom. |
|||
|
header
string
|
Specifies the response headers the system sends to the client in response to an illegal blocked request.
This parameter is required when
type is custom. |
|||
|
type
string
|
|
Specifies which content, or URL, the system sends to the client in response to an illegal blocked request.
When set to
default, specifies the system-supplied response text written in HTML.When set to
custom, specifies a modified response text set by the body and header parameters.When set to
redirect, specifies the system redirects the user to a specific web page instead of viewing a blocking page. The link to the page can be specified by the url parameter.When set to
soap-fault, specifies the system-supplied response written in SOAP fault message structure. Use this type when a SOAP request is blocked due to an XML related violation.When set to
soap-fault or default, the body and header parameters are ignored. |
||
|
url
string
|
Specifies the particular URL to which the system redirects the user.
|
|||
|
state
string
|
|
When
present, ensures the security HTTP profile is created.When
absent, ensures the security HTTP profile is removed. |
||
Examples¶
- name: Create an HTTP security profile
bigip_security_http_profile:
name: test_http_profile
description: 'this is a test profile'
evasion_techniques:
alarm: 'no'
block: 'yes'
file_type:
block: 'yes'
allowed:
- 'zip'
- 'js'
- 'json'
http_protocol_checks:
bad_host_header: 'yes'
bad_version: 'yes'
body_in_get_head: 'no'
high_ascii_in_headers: 'no'
method:
allowed_methods:
- 'GET'
- 'POST'
- 'PATCH'
header:
mandatory_headers:
- 'authorization'
length:
post_data: 0
request: 2048
uri: 512
response:
type: 'redirect'
url: 'https://you-are-banned.net'
- name: Modify an HTTP security profile
bigip_security_http_profile:
name: test_http_profile
file_type:
disallowed:
- 'zip'
- 'js'
- 'json'
method:
allowed_methods:
- 'GET'
- 'POST'
- 'PATCH'
- 'DELETE'
- name: Delete an HTTP security profile
bigip_security_http_profile:
name: test_http_profile
state: absent
Return Values¶
The following are the fields unique to this module:
| Key | Returned | Description | |
|---|---|---|---|
|
description
string
|
changed |
Specifies descriptive text that identifies security HTTP profile.
Sample:
this is a text
|
|
|
evasion_techniques
complex
|
changed |
The action the system takes when it detects an evasion technique.
|
|
|
alarm
boolean
|
changed |
The system logs the request data whenever it detects an evasion technique.
Sample:
True
|
|
|
block
boolean
|
changed |
The system stops requests whenever it detects an evasion technique.
|
|
|
file_type
complex
|
changed |
The file types the security profile considers legal and action to take if an illegal file type has been detected.
|
|
|
alarm
boolean
|
changed |
The system logs the request data whenever it detects an illegal file type.
Sample:
True
|
|
|
allowed
list
|
changed |
The list of file types that are disallowed by the system.
Sample:
['js', 'asp']
|
|
|
block
boolean
|
changed |
The system stops requests whenever it detects an illegal file type.
|
|
|
disallowed
list
|
changed |
The list of file types that are allowed by the system.
Sample:
['js', 'asp']
|
|
|
header
complex
|
changed |
Specifies which headers must appear in requests.
|
|
|
alarm
boolean
|
changed |
The system logs the request data whenever a request does not include a mandatory header.
Sample:
True
|
|
|
block
boolean
|
changed |
The system stops requests that do not include a mandatory header.
|
|
|
mandatory_headers
list
|
changed |
The headers that must appear in requests to be considered legal by the security profile.
Sample:
['cookie']
|
|
|
http_protocol_checks
complex
|
changed |
The validations the system should check and action to be taken if a violation is detected.
|
|
|
alarm
boolean
|
changed |
The system logs the request data whenever it detects an HTTP protocol violation.
Sample:
True
|
|
|
bad_host_header
boolean
|
changed |
The system inspects requests to see whether they contain a non RFC compliant header value.
Sample:
True
|
|
|
bad_version
boolean
|
changed |
The system inspects requests to see whether they request information from a client using a legal HTTP protocol version number.
Sample:
True
|
|
|
block
boolean
|
changed |
The system stops requests whenever it detects an HTTP protocol violation.
|
|
|
body_in_get_head
boolean
|
changed |
The system examines requests that use the HEAD or GET methods to see whether the requests contain data in their bodies.
Sample:
True
|
|
|
chunked_with_content_length
boolean
|
changed |
The system examines chunked requests for a content-length header.
Sample:
True
|
|
|
content_length_is_positive
boolean
|
changed |
The system examines requests to see whether their content length value is greater than zero.
Sample:
True
|
|
|
header_name_without_value
boolean
|
changed |
The system checks requests for valueless header names.
Sample:
True
|
|
|
high_ascii_in_headers
boolean
|
changed |
The system inspects request headers for ASCII characters greater than 127.
Sample:
True
|
|
|
host_header_is_ip
boolean
|
changed |
The system verifies the request's host header value is not an IP address.
Sample:
True
|
|
|
maximum_headers
integer
|
changed |
The system compares the number of headers in the requests against the number specified here.
Sample:
30
|
|
|
null_in_body
boolean
|
changed |
The system inspects the request body to see whether it contains a Null character.
Sample:
True
|
|
|
null_in_headers
boolean
|
changed |
The system inspects request headers to see whether they contain a Null character.
Sample:
True
|
|
|
post_with_zero_length
boolean
|
changed |
The system examines POST method requests for no content-length header.
Sample:
True
|
|
|
several_content_length
boolean
|
changed |
The system examines each request to see whether it has more than one content-length header.
Sample:
True
|
|
|
unparsable_content
boolean
|
changed |
The system examines requests for content the system cannot parse.
Sample:
True
|
|
|
length
complex
|
changed |
The default maximum length settings the security profile considers legal.
|
|
|
alarm
boolean
|
changed |
The system logs the request data whenever a request fails one of the length checks.
Sample:
True
|
|
|
block
boolean
|
changed |
The system stops requests that fail one of the length checks.
|
|
|
post_data
integer
|
changed |
Maximum acceptable length, in bytes, for the POST data portion of a request.
Sample:
2048
|
|
|
query_string
integer
|
changed |
Maximum acceptable length, in bytes, for the query string portion of a request.
Sample:
2048
|
|
|
request
integer
|
changed |
Maximum acceptable length, in bytes, of a request.
Sample:
2048
|
|
|
uri
integer
|
changed |
Maximum acceptable length, in bytes, for a URL.
Sample:
2048
|
|
|
method
complex
|
changed |
Specifies which HTTP methods the security profile considers legal.
|
|
|
alarm
boolean
|
changed |
The system logs the request data whenever a request uses an illegal method.
Sample:
True
|
|
|
allowed_methods
list
|
changed |
The HTTP methods considered legal by the security profile.
Sample:
['GET', 'PATCH']
|
|
|
block
boolean
|
changed |
The system stops requests that use an illegal method.
|
|
|
parent
string
|
changed |
Specifies the profile from which this profile inherits settings.
Sample:
/Common/foo_profile
|
|
|
response
complex
|
changed |
The information to display when the security profile blocks a client request.
|
|
|
body
string
|
changed |
The HTML code the system sends to the client in response to an illegal blocked request.
Sample:
<html><head><title>Request Rejected</title></head><body>The requested URL was rejected.</body></html>
|
|
|
header
string
|
changed |
The response headers the system sends to the client in response to an illegal blocked request.
Sample:
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Connection: close
|
|
|
type
string
|
changed |
The content, or URL, the system sends to the client in response to an illegal blocked request.
Sample:
default
|
|
|
url
string
|
changed |
The response headers that the system sends to the client in response to an illegal blocked request.
Sample:
https://you-are-banned.net
|
|