Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Module_05_Rewrite _and_Responder

advertisement 
Rewrite and Responder
Responder
• Provides a mechanism to create a response based purely on a request
• Is used to send a redirect to a URL or send a response to a client
• Can be used to craft error pages based on security policies
• Is configured using the responder Sub-Node under the Protection Features
node in the Configuration Utility
© 2012 Citrix | Confidential – Do Not Distribute
Rewrite
• Provides a mechanism to rewrite request and response URLs and HTTP
Headers and Body
• Allows control of server side behavior by inserting headers in the requests
• Is configured using the Rewrite node in the configuration utility
© 2012 Citrix | Confidential – Do Not Distribute
Rewrite
• Rewrite provides two modes, rewriting requests and rewriting responses
• Can detect response errors, and provide alternate content, such as a pretty
error page on 500 errors
• Allows control of server side behavior by inserting headers in the requests
• Can rewrite inbound URLs and POST body content from a client
• Limited support for rewriting response body data
© 2012 Citrix | Confidential – Do Not Distribute
Flow Processing Order
Flow Processing
Client
Implications of Processing Order
• Any responder response bypasses all other HTTP
processing
• Request rewrite policies cannot impact other basic
functions
• Response rewrite policies can impact the integrated
caching and application firewall functions
Caching
App FW
AppFW body
transformer
Responder
Apply Rewrite/
other Edits
Caching
Response
Rewrite
Content
Switching
CF+CMP+
CKA, etc
LB
CF+HDOSP
SC+PQ
Request
Rewrite
Server
© 2012 Citrix | Confidential – Do Not Distribute
Understanding the URL Rewrite Process
Browser Request
The client’s browser sends a
request to the web server
through the NetScaler
system.
Check for Policies
The NetScaler system
checks the request time
policy bank for applicable
policies.
Rewriting
The NetScaler system builds
a set of actions to apply
after evaluating the list of
prioritized policies.
© 2012 Citrix | Confidential – Do Not Distribute
The NetScaler system builds
a set of actions to apply
after evaluating the list of
prioritized policies.
Rewriting
The NetScaler system
rewrites the response and
forwards it to the client’s
browser.
Evaluation
Evaluation
The NetScaler system
rewrites the request and
forwards it to the web
server.
Check for Policies
The NetScaler system
checks the response time
policy bank for applicable
policies.
Server Response
The web server receives the
request and sends a
response.
Understanding the Responder Process
Browser Request
The client’s browser sends a
request to the web server
to the NetScaler system.
Check for Policies
The NetScaler system
checks the request time
policy bank for applicable
policies.
Evaluation
The NetScaler system builds
a set of actions to apply
after evaluating the list of
prioritized policies.
Response
The NetScaler system
Responds to the client
request with either a
redirect or respondwith.
© 2012 Citrix | Confidential – Do Not Distribute
Policies
Configuring Rewrite or Responder
An administrator can use the following process to
configure rewrite or responder:
• Step 1: Define an action to be performed
• Step 2: Create a policy
• Step 3: Bind this policy (rule + action) to a bind point to perform rewrite
© 2012 Citrix | Confidential – Do Not Distribute
Rewrite Actions
An administrator can type the following command in the CLI to add a rewrite
action:
add rewrite action name type target [string]
ᵒ Name = The name of the action
ᵒ Type = The type of action
ᵒ Target = The value of the target will vary depending on the type
ᵒ String = An expression that defines exactly what is to be done with the target
© 2012 Citrix | Confidential – Do Not Distribute
Responder Actions
An administrator can use the following command syntax to configure responder
actions:
add responder action name type target
ᵒ Name = the name of the action
ᵒ Type = the type of action
ᵒ Target = the content to respond with
© 2012 Citrix | Confidential – Do Not Distribute
Basic Configuration
Action Configuration
• Actions provide the basis of what is to be done when a policy evaluated to be
true
• There are several built-in actions:
Rewrite
Responder
• For both the rewrite and responder, to add an action the general format is
•
add responder action <name> <type> <APE Expression>
add rewrite action <name> <type> <APE Expression>
• The types of actions are dependent on what needs to be done
© 2012 Citrix | Confidential – Do Not Distribute
Basic Configuration
Policy Configuration
• Before any action is performed on a request or response, a policy needs to be
designed that matches a request or response
• The language for specifying the condition is the Advance Policy Engine (APE),
described separately
• Policies are added through one of two commands (depending on need)
ᵒ add rewrite policy <name> <rule> <action>
ᵒ add responder policy <name> <rule> <action>
© 2012 Citrix | Confidential – Do Not Distribute
Basic Configuration
Policy Bindings
• Once an action and policy are created, the policy needs to be bound to a
“label” or “bank” which dictates the order of processing
• Pre-defined labels are “global” and “vserver”
• To bind to the default label with default options:
bind responder global <name> <priority>
bind rewrite
global <name> <priority>
• Example syntax to bind to a vserver label instead:
bind responder vserver <vsvr name> <policy> <priority>
bind rewrite
vserver <vsvr name> <policy> <priority>
© 2012 Citrix | Confidential – Do Not Distribute
Rewrite and Responder Actions
Responder
•
redirect
Create a redirect action
•
respondwith
Create a full response for the request
Rewrite
•
insert_http_header
Appends a new HTTP header
•
delete_http_header
Delete an HTTP header completely
•
delete(_all)
Delete the text found (once)
•
replace(_all)
Replaces (exactly) one string with another
•
insert_before(_all)
Inserts a string before another string
•
insert_after(_all)
Insert a string after the found string
•
replace_http_res
Replaces one HTTP response with another
© 2012 Citrix | Confidential – Do Not Distribute
Rewrite Examples
Rewrite – Important commands
> help add rewrite policy
Usage: add rewrite policy <name> <rule> <action> [<undefAction>]
where:
<rule> = <expression>
> help add rewrite action
Usage:
add rewrite action <name> <type> <target> [<stringBuilderExpr>]
[-bypassSafetyCheck ( YES | NO )]
where:
<type> = ( delete | insert_http_header | delete_http_header | insert_before
| insert_after | replace )
> help set rewrite param
Usage:
set rewrite param -undefAction <string>
© 2012 Citrix | Confidential – Do Not Distribute
Rewrite – Useful Commands/Tips
• Rewrite can do the following
ᵒ
ᵒ
ᵒ
ᵒ
Modify the URL of a request
Modify the Cookie content
Insert, modify or delete an HTTP request/ response header
String manipulation (insert, delete, replace, append etc)
© 2012 Citrix | Confidential – Do Not Distribute
Configuring Rewrite
• Step 1: Define an action to be performed
• Step 2: Create a policy
ᵒ Define the rule which determine when to apply action
ᵒ Attach the action for the outcome of the evaluation
• Step 3: Bind this policy (rule + action) to a bind point perform rewrite
ᵒ Priorities should be attached to a policy, which determine sequence of policy execution
ᵒ Next policy to be evaluated can be mentioned using goto expression
ᵒ Invoke a rewrite policy label or vserver bound policies
© 2012 Citrix | Confidential – Do Not Distribute
Rewrite Actions
• add rewrite action <name> < type> <target> [<string>]
ᵒ
ᵒ
ᵒ
ᵒ
<name> name of the action
<type> type of action
<target> The value of the target will vary depending on the type
<string> an expression that defines exactly what is to be done with the target.
© 2012 Citrix | Confidential – Do Not Distribute
INSERT_HTTP_HEADER
<type>
INSERT_HTTP_HEADER
<target>
Header name
[<stringBuilderExpr>]
Header value
add rewrite action act_insert INSERT_HTTP_HEADER Client_ip ‘CLIENT.IP.SRC’
GET /foo.html HTTP/1.1
Host: site.com
Connection: close
© 2012 Citrix | Confidential – Do Not Distribute
GET /foo.html HTTP/1.1
Host: site.com
Connection: close
Client_ip: 10.102.32.100
DELETE_HTTP_HEADER
<type>
DELETE_HTTP_HEADER
<target>
[<stringBuilderExpr>]
Header Name
add rewrite action delete_http_cookie DELETE_HTTP_HEADER Cookie
GET /foo.html HTTP/1.1
Cookie: a=b
Connection: close
Cookie: c=d
<type>
DELETE_HTTP_HEADER
GET /foo.html HTTP/1.1
Connection: close
<target>
[<stringBuilderExpr>]
Header name
add rewrite action act_delete_header DELETE_HTTP_HEADER Host
GET /foo.html HTTP/1.1
Host: site.com
Connection: close
© 2012 Citrix | Confidential – Do Not Distribute
GET /foo.html HTTP/1.1
Connection: close
REPLACE
<type>
REPLACE
<target>
Text reference
[<stringBuilderExpr>]
Expression
add rewrite action act_replace REPLACE “HTTP.REQ.URL.PATH.GET(1)" "\"citrix\""
GET /netscaler/foo.html HTTP/1.1
Host: netscaler.com
Connection: close
GET /citrix/foo.html HTTP/1.1
Host: netscaler.com
Connection: close
add rewrite action retry_request replace_http_res
"\"HTTP/1.1 302 Temporary Redirect\\r\\nLocation:
http://www.cnn.com/\\r\\n\\r\\n\""
© 2012 Citrix | Confidential – Do Not Distribute
INSERT_BEFORE
<type>
INSERT_BEFORE
<target>
Text reference
[<stringBuilderExpr>]
Expression
add rewrite action act_before INSERT_BEFORE “HTTP.REQ.HEADER(\"host\").VALUE(0)" "\"india\""
GET /foo.html HTTP/1.1
Host: site.com
Connection: close
© 2012 Citrix | Confidential – Do Not Distribute
GET /foo.html HTTP/1.1
Host: indiasite.com
Connection: close
INSERT_AFTER
<type>
INSERT_AFTER
<target>
Text reference
[<stringBuilderExpr>]
Expression
add rewrite action act_after INSERT_AFTER
“HTTP.REQ.HEADER(\"host\").VALUE(0).TYPECAST_LIST_T(‘.’).GET(0)" "\"-india\""
GET /foo.html HTTP/1.1
Host: site.com
Connection: close
© 2012 Citrix | Confidential – Do Not Distribute
GET /foo.html HTTP/1.1
Host: site-india.com
Connection: close
DELETE
<type>
DELETE
<target>
[<stringBuilderExpr>]
Text reference
add rewrite action act_delete DELETE “HTTP.REQ.HEADER("\host\").VALUE(0)"
GET /foo.html HTTP/1.1
Host: site.com
Connection: close
© 2012 Citrix | Confidential – Do Not Distribute
GET /foo.html HTTP/1.1
Host:
Connection: close
Built in actions
• NOREWRITE – Do not perform rewrite
• RESET – Reset the current client and server connections
• UndefAction – If expression evaluation results in an undefined state,
UndefAction is used
ᵒ UndefAction can be specified per policy
ᵒ If per policy UndefAction isn’t specified, the global UndefAction is applied
ᵒ NOREWRITE and RESET are the only valid undef actions
© 2012 Citrix | Confidential – Do Not Distribute
Creating Rewrite Policies
• add rewrite policy <policyName> <rule> <action> [<undefAction>]
ᵒ
ᵒ
ᵒ
<action> is rewrite action name or NOREWRITE or RESET
<undefAction> is NOREWRITE or RESET
<rule> is a policy evaluation rule that returns a boolean result
• Example:
ᵒ
add rewrite policy pol_host ‘!HTTP.REQ.HEADER(“Host”).EXISTS’
RESET
© 2012 Citrix | Confidential – Do Not Distribute
Bind points
• Vserver bind points:
ᵒ Rewrite policies can be bound to cs and lb vservers
• Global bind points:
• Override: Policies bound to this label are evaluated before vserver specific
evaluation.
• Default: Policies bound to this label are evaluated after vserver specific evaluation
• Custom bind points
ᵒ Policy labels: user can create and bind policies to these bind points
ᵒ Policies bound will be evaluated only on invoke
ᵒ Will not be evaluated if not invoked
• Invoking bind points
ᵒ Similar to a named subroutine
ᵒ Can be invoked by policies
ᵒ Global bind points not invokeable
© 2012 Citrix | Confidential – Do Not Distribute
Rewrite Evaluation Process
Next Bank/ Invoke
Rewrite bind points
Bind point
Selector
After processing
all bind points
Order of bind point evaluation:
-Override
-All active vservers (cs followed by lb)
-Default
© 2012 Citrix | Confidential – Do Not Distribute
Selected Bank
Perform Rewrite
Actions
Policy Evaluator
END
Undefined
Perform the
rule-specific
or global
undefAction
Binding Policies
bind rewrite global <policyName> <priority> [<gotoPriorityExpression>] [-type <type>] [invoke (<labelType> <labelName>) ]
bind rewrite policylabel <labelName> <policyName> <priority> [<gotoPriorityExpression>]
[-invoke (<labelType> <labelName>) ]
bind rewrite vserver <vServerName> <policyName> <priority> [<gotoPriorityExpression>]
-type ( REQUEST | RESPONSE ) [-invoke (<labelType> <labelName>) ]
<priority> is a positive integer constant
ᵒ Lower value means higher priority
ᵒ Within each bind point duplicate priorities not allowed
<gotoPriorityExpression>
ᵒ END: terminate policy evaluation and proceed to apply action
ᵒ NEXT: proceed to the next policy in the priority ranking
ᵒ Positive integer: proceed to policy with the priority ranking as specified
ᵒ Advanced expressions can be used to configure
© 2012 Citrix | Confidential – Do Not Distribute
Binding policies (continued)
<type>
ᵒ indicates the type of global bind point
ᵒ REQ_OVERRIDE | REQ_DEFAULT | RES_OVERRIDE | RES_DEFAULT
<labelType>
ᵒ indicates the label type that needs to be invoked
<labelName>
ᵒ indicates the name of vserver if <labelType> is (reqvserver | resvserver)
ᵒ indicates the name of policylabel if <labelType> is policylabel
ᵒ CURRENT: can be used with <labelType> (reqvserver | resvserver) and would cause
all the active vserver bound policy to be evaluated
© 2012 Citrix | Confidential – Do Not Distribute
Rewrite Case Study
Redirect to alternate 404 content
• Requirement: A customer (a bank) needed to direct 404 response customers
(i.e. page not available) to a customized error page.
• Solution: Use URL rewrite to replace 404 response headers with the 302
redirect response mentioning the location of the alternate page.
© 2012 Citrix | Confidential – Do Not Distribute
Redirect to alternate 404
Commands:
• add rewrite action 404_rewrite_action replace_http_res "\"HTTP/1.1 302
Temporary Redirect\nLocation: http://10.10.10.1/my404.html \n\""
• add rewrite policy 404_Rewrite_Policy 'HTTP.RES.STATUS.EQ(404)'
404_Rewrite_Action
• bind rewrite global 404_Rewrite_Policy 1
© 2012 Citrix | Confidential – Do Not Distribute
Case Study: Mitigating Compression
You don't want to receive compressed content because:
• Need to inject HTML into content received
• Don’t want to cache compressed content
© 2012 Citrix | Confidential – Do Not Distribute
Mitigating Compression
Commands:
• add rewrite action "remove-ae" delete_http_header "Accept-Encoding"
• add rewrite policy "remove-ae" true "remove-ae"
• bind lb vserver my_test_vsvr -policyName "remove-ae" -priority 10 gotoPriorityExpression NEXT -type REQUEST
© 2012 Citrix | Confidential – Do Not Distribute
Mitigating HTTP Chunking
What is chunking and why…
• HTTP 1.1 supports chunked encoding, which allows HTTP messages to be
broken up into several parts. Chunking is most often used by the server for
responses, but clients can also chunk large requests.
• Chunking Header: Transfer-Encoding
• Not possible in HTTP 1.0
© 2012 Citrix | Confidential – Do Not Distribute
Mitigating HTTP Chunking
• add rewrite action downgrade_1.0 replace http.req.version "\"HTTP/1.0\""
• add rewrite policy to_1.0 true downgrade_1.0
• bind lb vserver test_vsvr -policyName to_1.0 -priority 20 gotoPriorityExpression NEXT -type REQUEST
© 2012 Citrix | Confidential – Do Not Distribute
Typecasting HTTP Data Streams
• Typecasting is used to convert the HTTP data stream
• Typecasting can:
ᵒ
ᵒ
ᵒ
ᵒ
Include structured text
Recognize a string as an integer value
Recognize a string as a URL
Take the query part of the URL and check for the ‘&’ delimiter and put each argument
in a list
ᵒ Recognize the string presented as a time value
© 2012 Citrix | Confidential – Do Not Distribute
In Depth Rewrite, Responders and URL
Transformation
Rewrite:
The NetScaler system rewrites HTTP headers
Responder:
The NetScaler system responds based on the request
URL transformation:
The NetScaler system translates internal and external URLs
© 2012 Citrix | Confidential – Do Not Distribute
Rewrite Process
© 2012 Citrix | Confidential – Do Not Distribute
Responder Process
© 2012 Citrix | Confidential – Do Not Distribute
URL Transformation
© 2012 Citrix | Confidential – Do Not Distribute
LAB – Module 5 – Exercise 1,2,3
To continue with the lab, browse to:
http://training.mycitrixcloud.net/geoilt
Enter you business email and this session code:
NETSCALER-WORKSHOP
© 2012 Citrix | Confidential – Do Not Distribute
Work better. Live better.
Related documents
Math 3195 Linear Algebra and Differential Equations Cheat Sheet
Math 3195 Linear Algebra and Differential Equations Cheat Sheet
Order of Operations and Multiplication Properties Review Sheet
Order of Operations and Multiplication Properties Review Sheet
PROFILE ASSIGNMENT
PROFILE ASSIGNMENT
File vocabulary sentence redo assignment
File vocabulary sentence redo assignment
Workshop On Creative Writing
Workshop On Creative Writing
Part One of Two for Great Author Book Report
Part One of Two for Great Author Book Report
Literal Equations and Formulas Worksheet (doc)
Literal Equations and Formulas Worksheet (doc)
click here to this ESL writing worksheet (FREE!)
click here to this ESL writing worksheet (FREE!)
Download
advertisement