Upload
brett-phillips
View
231
Download
8
Tags:
Embed Size (px)
Citation preview
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Responder
• Provides a mechanism to create a response based purely on a request
• Is used to send a redirect to a URL or send a response to a client
• Can be used to craft error pages based on security policies
• Is configured using the responder Sub-Node under the Protection Features node in the Configuration Utility
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Rewrite
• Provides a mechanism to rewrite request and response URLs and HTTP Headers and Body
• Allows control of server side behavior by inserting headers in the requests
• Is configured using the Rewrite node in the configuration utility
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Rewrite
• Rewrite provides two modes, rewriting requests and rewriting responses
• Can detect response errors, and provide alternate content, such as a pretty error page on 500 errors
• Allows control of server side behavior by inserting headers in the requests
• Can rewrite inbound URLs and POST body content from a client
• Limited support for rewriting response body data
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Flow ProcessingImplications of Processing Order
• Any responder response bypasses all other HTTP processing
• Request rewrite policies cannot impact other basic functions
• Response rewrite policies can impact the integrated caching and application firewall functions
App FW
Server
Content Switching
Request Rewrite
Response Rewrite
CF+CMP+ CKA, etc
AppFW body transformer
Caching
Responder
Caching
CF+HDOSPSC+PQ
Client
Apply Rewrite/other Edits
LB
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Understanding the URL Rewrite Process
Browser RequestThe client’s browser sends a request to the web server through the NetScaler system.
EvaluationThe NetScaler system builds a set of actions to apply after evaluating the list of prioritized policies.
RewritingThe NetScaler system rewrites the response and forwards it to the client’s browser.
EvaluationThe NetScaler system builds a set of actions to apply after evaluating the list of prioritized policies.
Server ResponseThe web server receives the request and sends a response.
RewritingThe NetScaler system rewrites the request and forwards it to the web server.
Check for PoliciesThe NetScaler system checks the request time policy bank for applicable policies.
Check for PoliciesThe NetScaler system checks the response time policy bank for applicable policies.
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Understanding the Responder Process
Browser RequestThe client’s browser sends a request to the web server to the NetScaler system.
EvaluationThe NetScaler system builds a set of actions to apply after evaluating the list of prioritized policies.
ResponseThe NetScaler system Responds to the client request with either a redirect or respondwith.
Check for PoliciesThe NetScaler system checks the request time policy bank for applicable policies.
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Configuring Rewrite or Responder
An administrator can use the following process to
configure rewrite or responder:
• Step 1: Define an action to be performed
• Step 2: Create a policy
• Step 3: Bind this policy (rule + action) to a bind point to perform rewrite
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Rewrite Actions
An administrator can type the following command in the CLI to add a rewrite action:
add rewrite action name type target [string]ᵒ Name = The name of the action
ᵒ Type = The type of action
ᵒ Target = The value of the target will vary depending on the type
ᵒ String = An expression that defines exactly what is to be done with the target
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Responder Actions
An administrator can use the following command syntax to configure responder actions:
add responder action name type targetᵒ Name = the name of the actionᵒ Type = the type of actionᵒ Target = the content to respond with
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Basic ConfigurationAction Configuration
• Actions provide the basis of what is to be done when a policy evaluated to be true
• There are several built-in actions:
• For both the rewrite and responder, to add an action the general format is
• add responder action <name> <type> <APE Expression>add rewrite action <name> <type> <APE Expression>
• The types of actions are dependent on what needs to be done
ResponderRewrite
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Basic ConfigurationPolicy Configuration
• Before any action is performed on a request or response, a policy needs to be designed that matches a request or response
• The language for specifying the condition is the Advance Policy Engine (APE), described separately
• Policies are added through one of two commands (depending on need)ᵒ add rewrite policy <name> <rule> <action>ᵒ add responder policy <name> <rule> <action>
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Basic ConfigurationPolicy Bindings
• Once an action and policy are created, the policy needs to be bound to a “label” or “bank” which dictates the order of processing
• Pre-defined labels are “global” and “vserver”
• To bind to the default label with default options:
bind responder global <name> <priority>
bind rewrite global <name> <priority>
• Example syntax to bind to a vserver label instead:
bind responder vserver <vsvr name> <policy> <priority>bind rewrite vserver <vsvr name> <policy> <priority>
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Rewrite and Responder Actions
Responder• redirect Create a redirect action
• respondwith Create a full response for the request
Rewrite• insert_http_header Appends a new HTTP header
• delete_http_header Delete an HTTP header completely
• delete(_all) Delete the text found (once)
• replace(_all) Replaces (exactly) one string with another
• insert_before(_all) Inserts a string before another string
• insert_after(_all) Insert a string after the found string
• replace_http_res Replaces one HTTP response with another
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Rewrite – Important commands
> help add rewrite policy
Usage: add rewrite policy <name> <rule> <action> [<undefAction>] where: <rule> = <expression>
> help add rewrite action
Usage: add rewrite action <name> <type> <target> [<stringBuilderExpr>] [-bypassSafetyCheck ( YES | NO )] where: <type> = ( delete | insert_http_header | delete_http_header | insert_before
| insert_after | replace )
> help set rewrite param
Usage: set rewrite param -undefAction <string>
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Rewrite – Useful Commands/Tips
• Rewrite can do the followingᵒ Modify the URL of a requestᵒ Modify the Cookie contentᵒ Insert, modify or delete an HTTP request/ response headerᵒ String manipulation (insert, delete, replace, append etc)
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Configuring Rewrite
• Step 1: Define an action to be performed
• Step 2: Create a policyᵒ Define the rule which determine when to apply actionᵒ Attach the action for the outcome of the evaluation
• Step 3: Bind this policy (rule + action) to a bind point perform rewriteᵒ Priorities should be attached to a policy, which determine sequence of policy executionᵒ Next policy to be evaluated can be mentioned using goto expressionᵒ Invoke a rewrite policy label or vserver bound policies
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Rewrite Actions
• add rewrite action <name> < type> <target> [<string>]ᵒ <name> name of the actionᵒ <type> type of actionᵒ <target> The value of the target will vary depending on the typeᵒ <string> an expression that defines exactly what is to be done with the target.
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
INSERT_HTTP_HEADER
<type> <target> [<stringBuilderExpr>]
INSERT_HTTP_HEADER Header name Header value
add rewrite action act_insert INSERT_HTTP_HEADER Client_ip ‘CLIENT.IP.SRC’
GET /foo.html HTTP/1.1Host: site.comConnection: close
GET /foo.html HTTP/1.1Host: site.comConnection: close Client_ip: 10.102.32.100
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
DELETE_HTTP_HEADER
<type> <target> [<stringBuilderExpr>]
DELETE_HTTP_HEADER Header Name
add rewrite action delete_http_cookie DELETE_HTTP_HEADER Cookie
GET /foo.html HTTP/1.1Cookie: a=bConnection: closeCookie: c=d
GET /foo.html HTTP/1.1Connection: close
<type> <target> [<stringBuilderExpr>]
DELETE_HTTP_HEADER Header name
add rewrite action act_delete_header DELETE_HTTP_HEADER Host
GET /foo.html HTTP/1.1Host: site.comConnection: close
GET /foo.html HTTP/1.1Connection: close
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
REPLACE
<type> <target> [<stringBuilderExpr>]
REPLACE Text reference Expression
add rewrite action act_replace REPLACE “HTTP.REQ.URL.PATH.GET(1)" "\"citrix\""
GET /netscaler/foo.html HTTP/1.1Host: netscaler.comConnection: close
GET /citrix/foo.html HTTP/1.1Host: netscaler.comConnection: close
add rewrite action retry_request replace_http_res "\"HTTP/1.1 302 Temporary Redirect\\r\\nLocation: http://www.cnn.com/\\r\\n\\r\\n\""
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
INSERT_BEFORE
<type> <target> [<stringBuilderExpr>]
INSERT_BEFORE Text reference Expression
add rewrite action act_before INSERT_BEFORE “HTTP.REQ.HEADER(\"host\").VALUE(0)" "\"india\""
GET /foo.html HTTP/1.1Host: site.comConnection: close
GET /foo.html HTTP/1.1Host: indiasite.comConnection: close
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
INSERT_AFTER
<type> <target> [<stringBuilderExpr>]
INSERT_AFTER Text reference Expression
add rewrite action act_after INSERT_AFTER “HTTP.REQ.HEADER(\"host\").VALUE(0).TYPECAST_LIST_T(‘.’).GET(0)" "\"-india\""
GET /foo.html HTTP/1.1Host: site.comConnection: close
GET /foo.html HTTP/1.1Host: site-india.comConnection: close
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
DELETE
<type> <target> [<stringBuilderExpr>]
DELETE Text reference
add rewrite action act_delete DELETE “HTTP.REQ.HEADER("\host\").VALUE(0)"
GET /foo.html HTTP/1.1Host: site.comConnection: close
GET /foo.html HTTP/1.1Host:Connection: close
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Built in actions
• NOREWRITE – Do not perform rewrite
• RESET – Reset the current client and server connections
• UndefAction – If expression evaluation results in an undefined state, UndefAction is usedᵒ UndefAction can be specified per policyᵒ If per policy UndefAction isn’t specified, the global UndefAction is appliedᵒ NOREWRITE and RESET are the only valid undef actions
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Creating Rewrite Policies
• add rewrite policy <policyName> <rule> <action> [<undefAction>]
ᵒ <action> is rewrite action name or NOREWRITE or RESETᵒ <undefAction> is NOREWRITE or RESETᵒ <rule> is a policy evaluation rule that returns a boolean result
• Example:
ᵒ add rewrite policy pol_host ‘!HTTP.REQ.HEADER(“Host”).EXISTS’ RESET
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Bind points
• Vserver bind points:ᵒ Rewrite policies can be bound to cs and lb vservers
• Global bind points:• Override: Policies bound to this label are evaluated before vserver specific
evaluation.• Default: Policies bound to this label are evaluated after vserver specific evaluation
• Custom bind pointsᵒ Policy labels: user can create and bind policies to these bind pointsᵒ Policies bound will be evaluated only on invokeᵒ Will not be evaluated if not invoked
• Invoking bind pointsᵒ Similar to a named subroutineᵒ Can be invoked by policiesᵒ Global bind points not invokeable
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Rewrite Evaluation Process
Policy Evaluator
Rewrite bind points
Bind pointSelector
Next Bank/ Invoke
Perform therule-specific
or global undefAction
Undefined
Perform RewriteActions
Selected Bank
ENDAfter processingall bind points
Order of bind point evaluation:-Override-All active vservers (cs followed by lb)-Default
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Binding Policies
bind rewrite global <policyName> <priority> [<gotoPriorityExpression>] [-type <type>] [-invoke (<labelType> <labelName>) ]
bind rewrite policylabel <labelName> <policyName> <priority> [<gotoPriorityExpression>] [-invoke (<labelType> <labelName>) ]
bind rewrite vserver <vServerName> <policyName> <priority> [<gotoPriorityExpression>] -type ( REQUEST | RESPONSE ) [-invoke (<labelType> <labelName>) ]
<priority> is a positive integer constantᵒ Lower value means higher priorityᵒ Within each bind point duplicate priorities not allowed
<gotoPriorityExpression>ᵒ END: terminate policy evaluation and proceed to apply actionᵒ NEXT: proceed to the next policy in the priority rankingᵒ Positive integer: proceed to policy with the priority ranking as specifiedᵒ Advanced expressions can be used to configure
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Binding policies (continued)
<type>ᵒ indicates the type of global bind pointᵒ REQ_OVERRIDE | REQ_DEFAULT | RES_OVERRIDE | RES_DEFAULT
<labelType>ᵒ indicates the label type that needs to be invoked
<labelName>ᵒ indicates the name of vserver if <labelType> is (reqvserver | resvserver)ᵒ indicates the name of policylabel if <labelType> is policylabelᵒ CURRENT: can be used with <labelType> (reqvserver | resvserver) and would cause
all the active vserver bound policy to be evaluated
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Rewrite Case StudyRedirect to alternate 404 content
• Requirement: A customer (a bank) needed to direct 404 response customers (i.e. page not available) to a customized error page.
• Solution: Use URL rewrite to replace 404 response headers with the 302 redirect response mentioning the location of the alternate page.
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Redirect to alternate 404
Commands:
• add rewrite action 404_rewrite_action replace_http_res "\"HTTP/1.1 302 Temporary Redirect\nLocation: http://10.10.10.1/my404.html \n\""
• add rewrite policy 404_Rewrite_Policy 'HTTP.RES.STATUS.EQ(404)' 404_Rewrite_Action
• bind rewrite global 404_Rewrite_Policy 1
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Case Study: Mitigating Compression
You don't want to receive compressed content because:
• Need to inject HTML into content received
• Don’t want to cache compressed content
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Mitigating Compression
Commands:
• add rewrite action "remove-ae" delete_http_header "Accept-Encoding"
• add rewrite policy "remove-ae" true "remove-ae"
• bind lb vserver my_test_vsvr -policyName "remove-ae" -priority 10 -gotoPriorityExpression NEXT -type REQUEST
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Mitigating HTTP Chunking
What is chunking and why…
• HTTP 1.1 supports chunked encoding, which allows HTTP messages to be broken up into several parts. Chunking is most often used by the server for responses, but clients can also chunk large requests.
• Chunking Header: Transfer-Encoding
• Not possible in HTTP 1.0
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Mitigating HTTP Chunking
• add rewrite action downgrade_1.0 replace http.req.version "\"HTTP/1.0\""
• add rewrite policy to_1.0 true downgrade_1.0
• bind lb vserver test_vsvr -policyName to_1.0 -priority 20 -gotoPriorityExpression NEXT -type REQUEST
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Typecasting HTTP Data Streams
• Typecasting is used to convert the HTTP data stream
• Typecasting can:ᵒ Include structured textᵒ Recognize a string as an integer valueᵒ Recognize a string as a URLᵒ Take the query part of the URL and check for the ‘&’ delimiter and put each argument in
a listᵒ Recognize the string presented as a time value
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
In Depth Rewrite, Responders and URL Transformation
Rewrite:
The NetScaler system rewrites HTTP headers
Responder:
The NetScaler system responds based on the request
URL transformation:
The NetScaler system translates internal and external URLs
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Rewrite Process
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
Responder Process
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
URL Transformation
© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute
LAB – Module 5 – Exercise 1,2,3
To continue with the lab, browse to:
http://training.mycitrixcloud.net/geoilt
Enter you business email and this session code:
NETSCALER-WORKSHOP