Jump to content
Welcome to our new Citrix community!

binding the responder policy HTTP.REQ.URL. for DROP to the TCP Type Content switch vserver


Recommended Posts

I am trying to write a policy equivalent to iRule in F5. The requirement is CS Vserver is TCP type on port 12003. I need to write a policy to drop the connection if the "HTTP.REQ.CONTAINS("SOMETHING")" DROP.

While I am binding this responder policy to the CS VSERVER, I am getting this message: "ERROR: Policy cannot be bound to specified policy label".

Upon my research I see that the HTTP evaluation policy and the TCP type CS vserver doesn't fit together. 

 

So how can I tell the CS vserver to drop the connection based on http.req content?

Link to comment
Share on other sites

You might need to separate your HTTP:12003 content from the other TCP content, so you can do web-specific things on the HTTP entity(ies).

 

Is the application a mixture of TCP and HTTP content or did you just select TCP to make it simpler? If so, convert it to HTTP.

If it is a mix, then you will have separate LB or CS vservers:

add cs vserver cs_vsrv_appA_tcp TCP <VIP1> <port>  or * and use listen policies to narrow ports in use.

add cs vserver cs_vsrv_appA_HTTP HTTP <VIP1> 12003 or * and use listen policies if more than one port needed on the cs vserver.

 

Or use lb vservers if cs vserver isn't needed.

Then you can use http.req.url.contains or http.req.url.path.contains as appropriate.

 

 

 

 

Link to comment
Share on other sites

On 25/5/2019 at 4:03 PM, Rhonda Rowland1709152125 said:

You might need to separate your HTTP:12003 content from the other TCP content, so you can do web-specific things on the HTTP entity(ies).

 

Is the application a mixture of TCP and HTTP content or did you just select TCP to make it simpler? If so, convert it to HTTP.

If it is a mix, then you will have separate LB or CS vservers:

add cs vserver cs_vsrv_appA_tcp TCP <VIP1> <port>  or * and use listen policies to narrow ports in use.

add cs vserver cs_vsrv_appA_HTTP HTTP <VIP1> 12003 or * and use listen policies if more than one port needed on the cs vserver.

 

Or use lb vservers if cs vserver isn't needed.

Then you can use http.req.url.contains or http.req.url.path.contains as appropriate.

 

 

 

 

Ok. I have to speak to the App owner or the Server Admin who owns it. I don't know the server details yet whether it is mix of Http or TCP. Thank you for the information.

Link to comment
Share on other sites

On 24/5/2019 at 2:15 AM, Mihai Cziraki1709160741 said:

you need to have an http vip(not tcp)on port 12003 to use HTTP.REQ.

Actually the http. req is same throughout the box. Luckily it applies to each of the VIP's. So I am using it to bind globally. Still the config is with the run team and not yet validated to push to the box. I will update later on this post.

Thank you for the reply.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...