HeaderValidationFilter
The HeaderValidationFilter validates the headers of requests and responses by configuring rules.
A header rule has the following format:
<header-name-regexp>:<header-value-regexp>:<action>[:<logmode>][:<status-code>]
The rule parts have the following meaning:
<header-name-regexp>
: The regular expression for the header name.<header-value-regexp>
: The regular expression for the header value.<action>
:allow
: If the header matches the<name-regexp>/<value-regexp>
, the request/response is allowed (unless another rule blocks it).deny
: If the header matches the<name-regexp>/<value-regexp>
, the request is blocked.drop
: If the header matches the<name-regexp>/<value-regexp>
, the header will be removed from the request/response.required
: If no header matches the<name-regexp>/<value-regexp>
, the request/response is blocked.
<logmode>
:log
: If you select this log mode, the system will trace an error if the actionsdeny
orrequired
occur, and a notice in case of the actionsdrop
andallow
. Thelog
log mode is the default log mode for the actionsdeny
,drop
, andrequired
.silent
: If you select this log mode, the system will trace an info if the actionsdeny
,drop
orrequired
occur. In the case of the actionallowed
, the system traces a debug message. Thesilent
log mode is the default log mode for the action "allowed".
<status-code>
: The status code to return if the request is blocked (403
by default).
The filter applies only one rule, the first matching rule, per header. The rest of the rules is ignored silently. If the header matches no rule, it is allowed.
ch::nevis::nevisproxy::filter::validation::HeaderValidationFilter
libValidationFilters.so.1
Configuration
RequestHeaderRules
Type: Newline separated list of rules
Usage Constraint: optional, advanced
Defines a newline separated list of rules. The header values must fulfill these rules in order for the request to be allowed, blocked or dropped (depending on the value of the <action>
part of the rule). If no rules are configured, all header values are allowed.
ResponseHeaderRules
Type: Newline separated list of rules
Usage Constraint: optional, advanced
Defines a newline separated list of rules. The header values must fulfill these rules in order for the response to be allowed, blocked or dropped (depending on the value of the <action>
part of the rule). If no rules are configured, all header values are allowed.
BlockOnError
Type: Enum
Possible values: on
, off
, log
Usage Constraint: optional, conditions are allowed
Default: on
Defines a newline separated list of conditions. The filter will either block or log requests with the matching header (the settings on
or log
, respectively). In case of the setting off
, the filter does not inspect the request headers at all.
This sample configuration makes sure that all requests with header "Content-Type: application/x-www-formurlencoded" will contain valid headers (as per the configured constraints). No other requests will be processed.
Condition:HEADER:Content-Type:application/x-www-formurlencoded
on
off