Responder policies allow a Citrix ADC/NetScaler to respond to a client request without querying the physical server.
The responder actions
Responder policies may use the following types of actions:
- NOOP: Don’t do anything (let the request pass through).
- DROP: Drop the request silently (don’t send a TCP ACK, the browser will see a time-out).
- RESET: Reset the connection (send a TCP reset).
- Respond with some text.
- Respond with HTML page responds with a pre-configured HTML page.
- Redirect to somewhere.
- Reply with a SQL OK to a database query.
- Reply with a SQL Error to a database query.
While NOOP, RESET and DROP are non-configurable built in ones, all the rest has to be configured. We will focus on “respond with”, “respond with HTML” and “redirect”.
Respond with
Go to AppExpert → Responder → Actions. Click Add.
A respond with action may be as simple as some text, or a complete HTML-page. The Citrix ADC/NetScaler policy engine allows adding variables into the response. In my example, I added the IP address of the client, together with the URL the user wanted to connect too.
"Leave me alone! A client with " + CLIENT.IP.SRC + " must not access " + HTTP.REQ.HOSTNAME + HTTP.REQ.URL
The policy:
Go to AppExpert → Responder → Policies. Click Add.
I will create a simple policy to test this action:
Every policy needs to get a name. You have to select the action and type in the expression. My expression is CLIENT.IP.SRC.IN_SUBNET(192.168.229.0/24)
, so all IPs from 192.168.229.1 to 192.168.229.254.
Binding the policy
Click Policy Manager, then select Load Balancing Virtual Server, select HTTP as a protocol (as our server is using HTTP) and lb_vs_colors as the vServer, created during our load-balancing lab. Click Continue.
Testing the policy
Click the little arrow, select the policy created before, leave the priority to 100, the GoTo Expression to END and press Bind and Done.
Let’s surf to our load-balancing vServer. It should show the following error message:
A modification: Block just /red.htm
Our policy now blocks all the website for our local network. Let’s change it, so we may surf through all the page, but deny red.
I have to change the policy expression and add && HTTP.REQ.URL.EQ("/red.htm)
- && is a logical AND
- || is a logical OR
- ! is a NOT
The result is as expected: All URLs work fine, just /red.htm gets blocked.
Respond with and HTML code
We could, of course, modify our policy expression, so it returns a real HTML page. To do so, we have to set HTML status-code and headers correctly.
The policy expression would look like that:
"HTTP/1.1 403 Forbidden\r\n\r\n<html><head><title>Forbidden</title></head><body><h1>Forbidden!</h1><p>Leave me alone! A client with " + CLIENT.IP.SRC + " must not access " + HTTP.REQ.HOSTNAME + HTTP.REQ.URL + "</p></body></html>"
The first part (HTTP/1.1 403 Forbidden) is the HTTP status. 402 is Payment Required, 403 forbidden, 404 not found, 418 I’m a teapot (see RFC 2324). You may find all standard HTML status codes, including links to corresponding RFCs, at Wikipedia.
The second part is the HTML code itself. I still left my NetScaler variables in it.
You can see it easily: It’s a “real” 403, an “original” HTML response, any web-server would have done the same.
Respond with HTML
The method presented before is not a perfect one, as it is quite limited in the size of an HTML response. In addition, it is not very handy. Respond with HTML is more powerful.
First, we have to create an HTML page. This page may get downloaded from a web-server, uploaded from a file or get edited in a text file.
The HTML page
Go to AppExpert → Responder → HTML Page Imports. Click Add.
the name of the page should be pg_404, the URL any URL that does not exist on the server, so the server will reply with a 404 page.
You see the web-page downloaded, click OK.
The action
Go to AppExpert → Responder → Actions. Click Add.
Select the right HTML page and a proper status code. A reason phrase is not needed, so leave it blanc.
Let’s update the policy we created before, so it’s using this action.
This page would probably need some tweaking (let’s remove /error), but it looks exactly like the original 404 page from the server.
Don’t forget to unbind responder policies prior to continuing!
[wpedon id=”798″ align=”center”]