Overview #
This article explains how to migrate an F5 BIG-IP iRule used to restrict HTTP upload sizes into RELIANOID using the integrated WAF (Web Application Firewall) powered by ModSecurity and OWASP CRS.
The original iRule inspects:
- HTTP method (
POST) Content-Lengthheader
And blocks uploads larger than 200 MB with an HTTP 413 Payload Too Large response.
Original F5 iRule #
when HTTP_REQUEST {
if { [HTTP::method] eq "POST" } {
set content_length [HTTP::header "Content-Length"]
if { $content_length ne "" && $content_length > 200000000 } {
# Reject requests over 200 MB
HTTP::respond 413 content "Upload size exceeds limit."
event disable
}
}
}
RELIANOID Migration Approach #
In RELIANOID, this functionality can be implemented using:
- WAF / IPDS module
- ModSecurity rules
- OWASP CRS integration
This approach provides:
- Centralized security enforcement
- Better logging and visibility
- Easier maintenance
- Native HTTP request inspection
Deployment via manual ruleset #
RELIANOID WAF Configuration Example #
Under the path /usr/local/relianoid/config/ipds/waf/sets/ create a conf file with the contents:
## begin conf
SecRuleEngine on
SecDefaultAction "pass,log,logdata:'client:%{REMOTE_ADDR}',phase:1"
SecDefaultAction "pass,log,logdata:'client:%{REMOTE_ADDR}',phase:2"
SecDefaultAction "pass,log,logdata:'client:%{REMOTE_ADDR}',phase:3"
SecDefaultAction "pass,log,logdata:'client:%{REMOTE_ADDR}',phase:4"
## end conf
SecRule REQUEST_METHOD "POST" \
"id:910001,\
phase:1,\
t:none,\
chain,\
deny,\
status:413,\
msg:'Upload size exceeds limit.',\
log"
SecRule REQUEST_HEADERS:Content-Length "@gt 200000000"
How the Rule Works #
The rule performs the following logic:
REQUEST_METHOD "POST": Inspects only POST requests
REQUEST_HEADERS:Content-Length: Reads upload size
@gt 200000000: Checks if size exceeds 200 MB
deny,status:413: Rejects the request
msg:'Upload size exceeds limit.': Generates audit log message
Equivalent Behavior Mapping from F5 iRule to RELIANOID WAF #
HTTP::method: REQUEST_METHOD
HTTP::header "Content-Length": REQUEST_HEADERS:Content-Length
HTTP::respond 413: deny,status:413
event disable: Immediate WAF deny
Deployment via WebUI #
This configuration can also be deployed directly through the RELIANOID WebUI.
WebUI Configuration Path #
Navigate to IPDS > WAF > Rules
Then Create a WAF ruleset with a rule with 2 conditions like it is shown below.
Validation #
Test with CURL #
Example request:
curl -k -X POST -H "Content-Length: 250000000" https://LB_VIP/upload -v
Expected Result #
The response should return:
HTTP/1.1 413 Payload Too Large
And the request should be blocked before reaching the backend.
Logging Validation #
Check WAF logs for:
Upload size exceeds limit.
Important Notes #
Content-Length Dependency #
This rule depends on the client sending a valid Content-Length header. If uploads use chunked transfer encoding or streaming uploads additional protections may be required.
Restrict Specific URLs Only #
The rule can be chained with URI validation.
Example:
SecRule REQUEST_URI "@beginsWith /upload"
Troubleshooting #
Rule Not Triggering #
Verify:
- WAF is enabled on the farm
- Rule is attached correctly
- Request method is POST
- Content-Length header is present
Uploads Still Reach Backend #
Possible causes:
- WAF not applied to correct farm
- Rule syntax issue
- Upload uses chunked encoding
False Positives #
Some applications may legitimately require large uploads.
Recommendation:
- Create application-specific exceptions
- Adjust thresholds carefully
Best Practices #
- Use application-specific upload limits
- Combine with rate limiting when possible
- Monitor WAF logs regularly
- Avoid unnecessarily high upload thresholds
- Validate upload behavior after deployment
Summary #
F5 iRules used to restrict upload sizes can be migrated into RELIANOID using native WAF/ModSecurity rules integrated with OWASP CRS.
This approach provides:
- Centralized policy enforcement
- Better logging and visibility
- Easier scalability
- Reduced scripting complexity
- Standards-based request inspection
