Blocking POST, TRACE and PUT requests with HAProxy.

HAProxy allows you to whitelist certain HTTP methods. i.e. If your website does not use POST requests, than you can completely block all POST requests using a simple HAProxy ACL.

What is an ACL?

A HAProxy ACL allows you to make certain rules and decisions based on the request that is coming from the client. In this case, we want to setup an ACL that will reject POST requests and other HTTP methods that our website does not use.

Denying POST requests.

To deny POST requests, you can place this ACL in the frontend or listen block of your haproxy.cfg file:

#Example ACL. This only allows GET, OPTION and HEAD requests.
acl valid_method method GET OPTION HEAD
http-request deny if !valid_method

The ACL above is pretty simple. It tells HAProxy that it should only accept GET, OPTION and HEAD requests. Anything else will be denied by our load balancer.

If you only want to accept GET and HEAD requests, then you can simply remove “OPTION” from the ACL. What you choose to allow and deny should be based on the needs of your web application.

Allowing POST requests.

If your site does use POST requests but you still want to deny other HTTP methods, then you can use the following ACL:

#Example ACL. This only allows GET, POST, OPTION and HEAD requests.
acl valid_method method GET POST OPTION HEAD
http-request deny if !valid_method

The ACL above only allows for GET, POST, OPTION and HEAD requests. i.e. If a client sends a PUT request or a TRACE request, they will be denied.

403 Forbidden.

If a client attempts to use a HTTP method that is not in your ACL whitelist, they will be given a 403 Forbidden error, along with the message: “Request forbidden by administrative rules.”

Facebook Comments