Skip to main content
Version: 3.14.x.x LTS

HeaderValidationFilter

The HeaderValidationFilter validates the headers of requests and responses by configuring rules.

A header rule has the following format:

<header-name-regexp>:<header-value-regexp>:<action>[:<logmode>][:<status-code>]

The rule parts have the following meaning:

  • <header-name-regexp>: The regular expression for the header name.
  • <header-value-regexp>: The regular expression for the header value.
  • <action>:
    • "allow": If the header matches the <name-regexp>/<value-regexp>, the request/response is allowed (unless another rule blocks it).
    • "deny": If the header matches the <name-regexp>/<value-regexp>, the request is blocked.
    • "drop": If the header matches the <name-regexp>/<value-regexp>, the header will be removed from the request/response.
    • "required": If no header matches the <name-regexp>/<value-regexp>, the request/response is blocked.
  • <logmode>:
    • "log": If you select this log mode, the system will trace an error if the actions "deny" or "required" occur, and a notice in case of the actions "drop" and "allow". The "log" log mode is the default log mode for the actions "deny", "drop", and "required".
    • "silent": If you select this log mode, the system will trace an info if the actions "deny", "drop" or "required" occur. In the case of the action "allowed", the system traces a debug message. The "silent" log mode is the default log mode for the action "allowed".
  • <status-code>: The status code to return if the request is blocked ("403" by default).

The filter applies only one rule, the first matching rule, per header. The rest of the rules is ignored silently. If the header matches no rule, it is allowed.

Classname
ch::nevis::nevisproxy::filter::validation::HeaderValidationFilter
Library
libValidationFilters.so.1

Configuration

NameType, Usage Constraints, DefaultsDescription
RequestHeaderRulesNewline separated list of rules
optional, advanced
Defines a newline separated list of rules. The header values must fulfill these rules in order for the request to be allowed, blocked or dropped (depending on the value of the <action> part of the rule). If no rules are configured, all header values are allowed.
ResponseHeaderRulesNewline separated list of rules
optional, advanced
Defines a newline separated list of rules. The header values must fulfill these rules in order for the response to be allowed, blocked or dropped (depending on the value of the <action> part of the rule). If no rules are configured, all header values are allowed.
BlockOnErrorconditional, enum: 'on, off, log'
optional, default: 'on'
Defines a newline separated list of conditions. The filter will either block or log requests with the matching header (the settings "on" or "log", respectively). In case of the setting "off", the filter does not inspect the request headers at all.

Sample:

Condition:HEADER:Content-Type:application/x-www-formurlencoded
on
off

This sample configuration makes sure that all requests with header "Content-Type: application/x-www-formurlencoded" will contain valid headers (as per the configured constraints). No other requests will be processed.