Skip to main content
Version: 8.2405.x.x RR

HeaderValidationFilter

The HeaderValidationFilter validates the headers of requests and responses by configuring rules.

A header rule has the following format:

<header-name-regexp>:<header-value-regexp>:<action>[:<logmode>][:<status-code>]

The rule parts have the following meaning:

  • <header-name-regexp>: The regular expression for the header name.
  • <header-value-regexp>: The regular expression for the header value.
  • <action>:
    • allow: If the header matches the <name-regexp>/<value-regexp>, the request/response is allowed (unless another rule blocks it).
    • deny: If the header matches the <name-regexp>/<value-regexp>, the request is blocked.
    • drop: If the header matches the <name-regexp>/<value-regexp>, the header will be removed from the request/response.
    • required: If no header matches the <name-regexp>/<value-regexp>, the request/response is blocked.
  • <logmode>:
    • log: If you select this log mode, the system will trace an error if the actions deny or required occur, and a notice in case of the actions drop and allow. The log log mode is the default log mode for the actions deny, drop, and required.
    • silent: If you select this log mode, the system will trace an info if the actions deny, drop or required occur. In the case of the action allowed, the system traces a debug message. The silent log mode is the default log mode for the action "allowed".
  • <status-code>: The status code to return if the request is blocked (403 by default).

The filter applies only one rule, the first matching rule, per header. The rest of the rules is ignored silently. If the header matches no rule, it is allowed.

Classname
ch::nevis::nevisproxy::filter::validation::HeaderValidationFilter
Library
libValidationFilters.so.1

Configuration

RequestHeaderRules

  • Type: Newline separated list of rules
  • Usage Constraint: optional, advanced
  • Defines a newline separated list of rules. The header values must fulfill these rules in order for the request to be allowed, blocked or dropped (depending on the value of the <action> part of the rule). If no rules are configured, all header values are allowed.

ResponseHeaderRules

  • Type: Newline separated list of rules
  • Usage Constraint: optional, advanced
  • Defines a newline separated list of rules. The header values must fulfill these rules in order for the response to be allowed, blocked or dropped (depending on the value of the <action> part of the rule). If no rules are configured, all header values are allowed.

BlockOnError

  • Type: Enum: on, off, log
  • Usage Constraint: optional, conditions are allowed
  • Default: on
  • Defines a newline separated list of conditions. The filter will either block or log requests with the matching header (the settings on or log, respectively). In case of the setting off, the filter does not inspect the request headers at all.

This sample configuration makes sure that all requests with header "Content-Type: application/x-www-formurlencoded" will contain valid headers (as per the configured constraints). No other requests will be processed.

Example:
Condition:HEADER:Content-Type:application/x-www-formurlencoded
on
off