Rewrite and Responder. © 2012 Citrix | Confidential – Do Not Distribute Responder Provides a mechanism to create a response based purely on a request

Rewrite and Responder

© 2012 Citrix | Confidential – Do Not Distribute© 2012 Citrix | Confidential – Do Not Distribute

Responder

• Provides a mechanism to create a response based purely on a request

• Is used to send a redirect to a URL or send a response to a client

• Can be used to craft error pages based on security policies

• Is configured using the responder Sub-Node under the Protection Features node in the Configuration Utility


Rewrite

• Provides a mechanism to rewrite request and response URLs and HTTP Headers and Body

• Allows control of server side behavior by inserting headers in the requests

• Is configured using the Rewrite node in the configuration utility


Rewrite

• Rewrite provides two modes, rewriting requests and rewriting responses

• Can detect response errors, and provide alternate content, such as a pretty error page on 500 errors

• Allows control of server side behavior by inserting headers in the requests

• Can rewrite inbound URLs and POST body content from a client

• Limited support for rewriting response body data

Flow Processing Order


Flow ProcessingImplications of Processing Order

• Any responder response bypasses all other HTTP processing

• Request rewrite policies cannot impact other basic functions

• Response rewrite policies can impact the integrated caching and application firewall functions

App FW

Server

Content Switching

Request Rewrite

Response Rewrite

CF+CMP+ CKA, etc

AppFW body transformer

Caching

Responder

Caching

CF+HDOSPSC+PQ

Client

Apply Rewrite/other Edits

LB


Understanding the URL Rewrite Process

Browser RequestThe client’s browser sends a request to the web server through the NetScaler system.

EvaluationThe NetScaler system builds a set of actions to apply after evaluating the list of prioritized policies.

RewritingThe NetScaler system rewrites the response and forwards it to the client’s browser.


Server ResponseThe web server receives the request and sends a response.

RewritingThe NetScaler system rewrites the request and forwards it to the web server.

Check for PoliciesThe NetScaler system checks the request time policy bank for applicable policies.

Check for PoliciesThe NetScaler system checks the response time policy bank for applicable policies.


Understanding the Responder Process

Browser RequestThe client’s browser sends a request to the web server to the NetScaler system.


ResponseThe NetScaler system Responds to the client request with either a redirect or respondwith.

Check for PoliciesThe NetScaler system checks the request time policy bank for applicable policies.

Policies


Configuring Rewrite or Responder

An administrator can use the following process to

configure rewrite or responder:

• Step 1: Define an action to be performed

• Step 2: Create a policy

• Step 3: Bind this policy (rule + action) to a bind point to perform rewrite


Rewrite Actions

An administrator can type the following command in the CLI to add a rewrite action:

add rewrite action name type target [string]ᵒ Name = The name of the action

ᵒ Type = The type of action

ᵒ Target = The value of the target will vary depending on the type

ᵒ String = An expression that defines exactly what is to be done with the target


Responder Actions

An administrator can use the following command syntax to configure responder actions:

add responder action name type targetᵒ Name = the name of the actionᵒ Type = the type of actionᵒ Target = the content to respond with


Basic ConfigurationAction Configuration

• Actions provide the basis of what is to be done when a policy evaluated to be true

• There are several built-in actions:

• For both the rewrite and responder, to add an action the general format is

• add responder action <name> <type> <APE Expression>add rewrite action <name> <type> <APE Expression>

• The types of actions are dependent on what needs to be done

ResponderRewrite


Basic ConfigurationPolicy Configuration

• Before any action is performed on a request or response, a policy needs to be designed that matches a request or response

• The language for specifying the condition is the Advance Policy Engine (APE), described separately

• Policies are added through one of two commands (depending on need)ᵒ add rewrite policy <name> <rule> <action>ᵒ add responder policy <name> <rule> <action>


Basic ConfigurationPolicy Bindings

• Once an action and policy are created, the policy needs to be bound to a “label” or “bank” which dictates the order of processing

• Pre-defined labels are “global” and “vserver”

• To bind to the default label with default options:

bind responder global <name> <priority>

bind rewrite global <name> <priority>

• Example syntax to bind to a vserver label instead:

bind responder vserver <vsvr name> <policy> <priority>bind rewrite vserver <vsvr name> <policy> <priority>


Rewrite and Responder Actions

Responder• redirect Create a redirect action

• respondwith Create a full response for the request

Rewrite• insert_http_header Appends a new HTTP header

• delete_http_header Delete an HTTP header completely

• delete(_all) Delete the text found (once)

• replace(_all) Replaces (exactly) one string with another

• insert_before(_all) Inserts a string before another string

• insert_after(_all) Insert a string after the found string

• replace_http_res Replaces one HTTP response with another

Rewrite Examples


Rewrite – Important commands

> help add rewrite policy

Usage: add rewrite policy <name> <rule> <action> [<undefAction>] where: <rule> = <expression>

> help add rewrite action

Usage: add rewrite action <name> <type> <target> [<stringBuilderExpr>] [-bypassSafetyCheck ( YES | NO )] where: <type> = ( delete | insert_http_header | delete_http_header | insert_before

| insert_after | replace )

> help set rewrite param

Usage: set rewrite param -undefAction <string>


Rewrite – Useful Commands/Tips

• Rewrite can do the followingᵒ Modify the URL of a requestᵒ Modify the Cookie contentᵒ Insert, modify or delete an HTTP request/ response headerᵒ String manipulation (insert, delete, replace, append etc)


Configuring Rewrite

• Step 1: Define an action to be performed

• Step 2: Create a policyᵒ Define the rule which determine when to apply actionᵒ Attach the action for the outcome of the evaluation

• Step 3: Bind this policy (rule + action) to a bind point perform rewriteᵒ Priorities should be attached to a policy, which determine sequence of policy executionᵒ Next policy to be evaluated can be mentioned using goto expressionᵒ Invoke a rewrite policy label or vserver bound policies


Rewrite Actions

• add rewrite action <name> < type> <target> [<string>]ᵒ <name> name of the actionᵒ <type> type of actionᵒ <target> The value of the target will vary depending on the typeᵒ <string> an expression that defines exactly what is to be done with the target.


INSERT_HTTP_HEADER

<type> <target> [<stringBuilderExpr>]

INSERT_HTTP_HEADER Header name Header value

add rewrite action act_insert INSERT_HTTP_HEADER Client_ip ‘CLIENT.IP.SRC’

GET /foo.html HTTP/1.1Host: site.comConnection: close

GET /foo.html HTTP/1.1Host: site.comConnection: close Client_ip: 10.102.32.100


DELETE_HTTP_HEADER


DELETE_HTTP_HEADER Header Name

add rewrite action delete_http_cookie DELETE_HTTP_HEADER Cookie

GET /foo.html HTTP/1.1Cookie: a=bConnection: closeCookie: c=d

GET /foo.html HTTP/1.1Connection: close


DELETE_HTTP_HEADER Header name

add rewrite action act_delete_header DELETE_HTTP_HEADER Host


GET /foo.html HTTP/1.1Connection: close


REPLACE


REPLACE Text reference Expression

add rewrite action act_replace REPLACE “HTTP.REQ.URL.PATH.GET(1)" "\"citrix\""

GET /netscaler/foo.html HTTP/1.1Host: netscaler.comConnection: close

GET /citrix/foo.html HTTP/1.1Host: netscaler.comConnection: close

add rewrite action retry_request replace_http_res "\"HTTP/1.1 302 Temporary Redirect\\r\\nLocation: http://www.cnn.com/\\r\\n\\r\\n\""


INSERT_BEFORE


INSERT_BEFORE Text reference Expression

add rewrite action act_before INSERT_BEFORE “HTTP.REQ.HEADER(\"host\").VALUE(0)" "\"india\""


GET /foo.html HTTP/1.1Host: indiasite.comConnection: close


INSERT_AFTER


INSERT_AFTER Text reference Expression

add rewrite action act_after INSERT_AFTER “HTTP.REQ.HEADER(\"host\").VALUE(0).TYPECAST_LIST_T(‘.’).GET(0)" "\"-india\""


GET /foo.html HTTP/1.1Host: site-india.comConnection: close


DELETE


DELETE Text reference

add rewrite action act_delete DELETE “HTTP.REQ.HEADER("\host\").VALUE(0)"


GET /foo.html HTTP/1.1Host:Connection: close


Built in actions

• NOREWRITE – Do not perform rewrite

• RESET – Reset the current client and server connections

• UndefAction – If expression evaluation results in an undefined state, UndefAction is usedᵒ UndefAction can be specified per policyᵒ If per policy UndefAction isn’t specified, the global UndefAction is appliedᵒ NOREWRITE and RESET are the only valid undef actions


Creating Rewrite Policies

• add rewrite policy <policyName> <rule> <action> [<undefAction>]

ᵒ <action> is rewrite action name or NOREWRITE or RESETᵒ <undefAction> is NOREWRITE or RESETᵒ <rule> is a policy evaluation rule that returns a boolean result

• Example:

ᵒ add rewrite policy pol_host ‘!HTTP.REQ.HEADER(“Host”).EXISTS’ RESET


Bind points

• Vserver bind points:ᵒ Rewrite policies can be bound to cs and lb vservers

• Global bind points:• Override: Policies bound to this label are evaluated before vserver specific

evaluation.• Default: Policies bound to this label are evaluated after vserver specific evaluation

• Custom bind pointsᵒ Policy labels: user can create and bind policies to these bind pointsᵒ Policies bound will be evaluated only on invokeᵒ Will not be evaluated if not invoked

• Invoking bind pointsᵒ Similar to a named subroutineᵒ Can be invoked by policiesᵒ Global bind points not invokeable


Rewrite Evaluation Process

Policy Evaluator

Rewrite bind points

Bind pointSelector

Next Bank/ Invoke

Perform therule-specific

or global undefAction

Undefined

Perform RewriteActions

Selected Bank

ENDAfter processingall bind points

Order of bind point evaluation:-Override-All active vservers (cs followed by lb)-Default


Binding Policies

bind rewrite global <policyName> <priority> [<gotoPriorityExpression>] [-type <type>] [-invoke (<labelType> <labelName>) ]

bind rewrite policylabel <labelName> <policyName> <priority> [<gotoPriorityExpression>] [-invoke (<labelType> <labelName>) ]

bind rewrite vserver <vServerName> <policyName> <priority> [<gotoPriorityExpression>] -type ( REQUEST | RESPONSE ) [-invoke (<labelType> <labelName>) ]

<priority> is a positive integer constantᵒ Lower value means higher priorityᵒ Within each bind point duplicate priorities not allowed

<gotoPriorityExpression>ᵒ END: terminate policy evaluation and proceed to apply actionᵒ NEXT: proceed to the next policy in the priority rankingᵒ Positive integer: proceed to policy with the priority ranking as specifiedᵒ Advanced expressions can be used to configure


Binding policies (continued)

<type>ᵒ indicates the type of global bind pointᵒ REQ_OVERRIDE | REQ_DEFAULT | RES_OVERRIDE | RES_DEFAULT

<labelType>ᵒ indicates the label type that needs to be invoked

<labelName>ᵒ indicates the name of vserver if <labelType> is (reqvserver | resvserver)ᵒ indicates the name of policylabel if <labelType> is policylabelᵒ CURRENT: can be used with <labelType> (reqvserver | resvserver) and would cause

all the active vserver bound policy to be evaluated


Rewrite Case StudyRedirect to alternate 404 content

• Requirement: A customer (a bank) needed to direct 404 response customers (i.e. page not available) to a customized error page.

• Solution: Use URL rewrite to replace 404 response headers with the 302 redirect response mentioning the location of the alternate page.


Redirect to alternate 404

Commands:

• add rewrite action 404_rewrite_action replace_http_res "\"HTTP/1.1 302 Temporary Redirect\nLocation: http://10.10.10.1/my404.html \n\""

• add rewrite policy 404_Rewrite_Policy 'HTTP.RES.STATUS.EQ(404)' 404_Rewrite_Action

• bind rewrite global 404_Rewrite_Policy 1

http://10.10.10.1/my404.html%20/n/


Case Study: Mitigating Compression

You don't want to receive compressed content because:

• Need to inject HTML into content received

• Don’t want to cache compressed content


Mitigating Compression

Commands:

• add rewrite action "remove-ae" delete_http_header "Accept-Encoding"

• add rewrite policy "remove-ae" true "remove-ae"

• bind lb vserver my_test_vsvr -policyName "remove-ae" -priority 10 -gotoPriorityExpression NEXT -type REQUEST


Mitigating HTTP Chunking

What is chunking and why…

• HTTP 1.1 supports chunked encoding, which allows HTTP messages to be broken up into several parts. Chunking is most often used by the server for responses, but clients can also chunk large requests.

• Chunking Header: Transfer-Encoding

• Not possible in HTTP 1.0


Mitigating HTTP Chunking

• add rewrite action downgrade_1.0 replace http.req.version "\"HTTP/1.0\""

• add rewrite policy to_1.0 true downgrade_1.0

• bind lb vserver test_vsvr -policyName to_1.0 -priority 20 -gotoPriorityExpression NEXT -type REQUEST


Typecasting HTTP Data Streams

• Typecasting is used to convert the HTTP data stream

• Typecasting can:ᵒ Include structured textᵒ Recognize a string as an integer valueᵒ Recognize a string as a URLᵒ Take the query part of the URL and check for the ‘&’ delimiter and put each argument in

a listᵒ Recognize the string presented as a time value


In Depth Rewrite, Responders and URL Transformation

Rewrite:

The NetScaler system rewrites HTTP headers

Responder:

The NetScaler system responds based on the request

URL transformation:

The NetScaler system translates internal and external URLs


Rewrite Process


Responder Process


URL Transformation


LAB – Module 5 – Exercise 1,2,3

To continue with the lab, browse to:

http://training.mycitrixcloud.net/geoilt

Enter you business email and this session code:

NETSCALER-WORKSHOP



Work better. Live better.Work better. Live better.

Documents

Rewrite and Responder. © 2012 Citrix | Confidential – Do Not Distribute Responder Provides a mechanism to create a response based purely on a request