Configuring HTTP filtering for IAG traffic

  • Article

Applies To: Intelligent Application Gateway (IAG)

Whale Communications Intelligent Application Gateway (IAG) 2007 can check the headers of incoming HTTP requests, and it can reject unwanted headers, cookies, and parameters. You can configure the header checks to do the following:

  • Enforce character ranges

  • Check size of header names and values

  • Enforce length, type, and values of specific headers

  • Check size of cookies

  • Enforce length, type, and values of specific cookies

  • Enforce length, type, and values of cookies and headers that are not specifically configured

For more information about the HTTP header checking process, see About HTTP filtering in IAG.

Configure HTTP header checking as follows:

  • Block the "Negotiate" authorization header. A negotiate authorization header sent by clients may contain malformed code, which could cause denial of service and browser crashes. This vulnerability was announced in Microsoft’s Security Bulletin MS04-011, as ASN.1 “Double Free” Vulnerability - CAN-2004-0123. IAG can overcome this vulnerability by blocking headers starting with authorization: negotiate.

  • Set the maximum size of HTTP POST and PUT data

  • Configure addition HTTP checks in the HdrRuleSet.ini configuration file

  • Support HTTP filtering for non-compliant. Various registry keys can be added to the HTTP filter in order to enable IAG to communicate with applications that do not comply with the HTTP Request for Comments (RFC) as follows:

    • Separation of header and data

    • Data chunking

    • Header Content-Type

    • Enabling characters to appear after escaped characters in URL parameters

Blocking negotiate headers

Block negotiate headers as follows:

To block "negotiate" headers

  1. In the IAG Configuration console, click the portal node.

  2. In the Advanced Trunk Configuration dialog box, click the URL Inspection tab.

  3. Select Block "Negotiate" Authorization Header to specify that negotiate headers are blocked.

Setting the maximum size of PUT and POST data

Set the maximum size as follows:

To set maximum PUT and POST size

  1. In the IAG Configuration console, click the portal node.

  2. Next to Advanced Trunk Configuration, click Configure.

  3. In the Advanced Trunk Configuration dialog box, click the URL Inspection tab.

  4. Select Max Post/Put Data, and then specify a limit in bytes. The default setting is -1. If this setting is not selected the size is unlimited. If you enter a positive value and a page exceeds this value, the request is denied and the error message URL is sent in reply.

Configuring additional HTTP header checks

You can configure the HTTP header checks in the configuration file HdrRuleSet.ini.

To configure the HTTP header checking .ini file

  1. Copy the configuration file HdrRuleSet.ini from \Whale-Com\e-Gap\Von\Samples\RuleSet to the folder \Whale-Com\e-Gap\Von\Conf\WebSites\<Trunk_Name>\Conf\CustomUpdate. If the folder does not exist, create it.

  2. Configure the file options. For detailed information, see HTTP checking header configuration file.

  3. Repeat the steps above for all the trunks for which you wish to implement the additional header checking.

  4. In the Configuration console, click the Activate icon to activate the configuration, select the option “Apply changes made to external configuration settings”, and click Activate.

Supporting HTTP filtering for non-compliant HTTP applications

Enabling irregular separation of header and data

According to the HTTP RFC, an HTTP header block has to be separated from the HTML data with the string: CRLF CRLF. If a non-compliant application uses the string LF LF instead, you can enable IAG filters to communicate with it as follows:

To enable irregular separation of header and data

  1. At IAG, access the following Registry key: WhaleCom\e-Gap\Von\UrlFilter.

  2. Create a new DWORD value named EndOfHeadersByLFLF, and set the value to 1.

  3. In the Configuration console, click the Activate icon to activate the configuration, select the option “Apply changes made to external configuration settings”, and click Activate.

    Once the configuration is activated, the filter can accept headers ending with LF LF.

Enabling irregular data chunking

You can enable the HTTP filter to handle data chunking where four extra null bytes are added to the end of the chunk. Such abnormal header chunks are sent by some application servers, even though they do not comply with the HTTP RFC. Enable as follows:

To enable irregular HTTP data chunking

  1. On the IAG server access the following registry key: WhaleCom\e-Gap\Von\URLFilter.

  2. Create a new DWORD value named HandleChunksAbnormality, and set the value to 1.

  3. Once the configuration is activated, the filter can handle the irregular data chunking described above.

Enabling filtering of headers with an empty content-type field

You can enable the HTTP filter to handle headers in which the “Content-Type” field is empty as follows:

To enable filtering of a header without a content-type

  1. On the IAG server access the following registry key: WhaleCom\e-Gap\Von\URLFilter.

  2. Create a new DWORD value named AllowPostWithoutContentType and set the value to 1.

  3. In the Configuration console, click the Activate icon to activate the configuration, select the option “Apply changes made to external configuration settings”, and click Activate. Once the configuration is activated, the filter can handle HTTP headers without a content-type.

Defining characters appearing after escaped characters

HTTP RFC 2396 allows the percent character “%” to appear only as part of an encoded character. For internal purposes, the IAG URL Inspection engine does allow the “%” character to appear as a regular character after escaped characters, in URL parameters only. You can use this capability to enable the URL Inspection engine to allow additional characters to appear after escaped characters in URL parameters as follows:

To define which characters can appear after escaped characters

  1. On the IAG server, access the following registry key: WhaleCom\e-Gap\Von\URLFilter.

  2. Create a new string value named AllowedCharactersAfterEscapeChar.

  3. Modify the value data, entering the characters that will be allowed to appear after escaped characters in URL parameters, in the following format: %<character><character>.

    After you create this registry key, you need to add the “%” character, which is otherwise allowed by default, to the list of allowed characters, else it will be rejected by the filter. You can add up to 256 characters in the list. Note that values are case sensitive. For example: to allow the characters “Q” and “z” to appear after escaped characters, in addition to the “%” character, enter the following: %%Qz.

  4. In the Configuration console, click the Activate icon to activate the configuration, select the option “Apply changes made to external configuration settings”, and click Activate. After the configuration is activated, the URL Inspection engine will accept the characters you defined here, when they appear after escaped characters in URL parameters.