Jump to content
Welcome to our new Citrix community!

Blocking a path in a URL


Stan Svetec

Recommended Posts

Hi,

I'm struggling to find a suitable responder policy to drop requests to a URL.  Consider this:

 

www.domain.com/admin - Landing here takes you to the administrative portal of the web app/service, which I don't want

www.domain.com/admin/surveys - Landing here takes you to a bunch of proposed publicly accessible surveys, which I do want.

 

How do I allow users to get to /admin/surveys but not /admin?

 

For what it's worth, the service I'm referring to is RedCAP.

 

Regards

Link to comment
Share on other sites

I would rather create a policy, action NOOP and expression HTTP.REQ.URL.STARTSWITH("/admin/surveys") and bind it with goto END.

 

Next I would create a policy, action RESPOND_WITh and a 404 not found and expression HTTP.REQ.URL.STARTSWITH("/admin/")

 

This would allow access to the surveys, but not to /admin. If you connect to /admin, you will get a 404 not found (instead you could redirect to the home page, drop, reset, what ever you like, but I am a big fan of 404s)

 

Cheers

 

Johannes Norz, freelancer from Austria

CTA, CCI, CCE-N

Link to comment
Share on other sites

Assuming there are other paths besides /admin that need to be not blocked.

And the request to /admin/<stuff> needs to be blocked, but not when /admin/surveys/<stuff>

Lots of variations on this...

 

responder policy to DROP/RESET traffic for this expression:

http.req.url.path.get(1).set_text_mode(Ignorecase).eq("admin") && !http.req.url.path.starts_with("/admin/surveys")

 

/admin                            results:  true (drop traffic)

/admin/<stuff>              results:  true (drop traffic)

/admin/surveys/            restuls:  false (no drop)

/admin/surveys/<stuff>   results:  false (no drop)

/<otherstuff>                   results:  false

 

Boundary conditions about what to allow/deny are kind of critical here, but you basically need some of !(admin surveys) sub path to exempt certain traffic.

 

 

Link to comment
Share on other sites

On 3/7/2020 at 6:44 AM, Rhonda Rowland1709152125 said:

http.req.url.path.get(1).set_text_mode(Ignorecase).eq("admin") && !http.req.url.path.starts_with("/admin/surveys")

 

/admin                            results:  true (drop traffic)

/admin/<stuff>              results:  true (drop traffic)

/admin/surveys/            restuls:  false (no drop)

/admin/surveys/<stuff>   results:  false (no drop)

/<otherstuff>                   results:  false

 

 

 

No matter what I try, the above will block all requests.

Link to comment
Share on other sites

You may need to look at a header response to see if the requests to /admin/surveys contains paths that are /admin/<otherstuff> that is being counted as false positives. Or add a logging action to write out which path the responder policy blocked on.  I thought I might have flubbed the logic, but it is working on my demo (though I don't have an actual page content behind it).  But it is working for me, based on my understanding of what you want. Which could be flawed. If failing, try showing which urls are being blocked that you aren't expecting.  Also, I forgot one of the case-insensitive clauses so here are my commands below.

 

I added custom logging to log the path is blocked, so you can see if there are unexpected references causing a false positive which can be used to tweak the expression or see if we need to switch to regex instead.  For simplicity, I just had the action use a reset. You can modify to block or redirect as needed.

 

Based on rules above:

1) I'm assuming page could go to /<otherstuff>

2) Only block references to /admin or /admin<anyotherstuff>  while allowing all /admin/surveys and /admin/surveys<otherstuff>

 

So my recommendation is to compare your policy expression to mine for typos.

Turn on custom log messages and add audit message and use this to track logging on policy hits to find unexpected matches. My logic may be wrong or making an assumption that isn't valid.  You can remove log action when your policy is where you want it.

 

###

set audit syslogParams -userDefinedAuditlog YES
 

add audit messageaction audit_act-rs_pol_dropstuff INFORMATIONAL "\"rs_pol_dropstuff blocked this url path:  \" + http.REQ.URL.PATH"

add responder policy rs_pol_dropstuff "http.REQ.URL.PATH.GET(1).SET_TEXT_MODE(ignorecase).eq(\"admin\") && !http.REQ.URL.PATH.SET_TEXT_MODE(ignorecase).STARTSWITH(\"/admin/surveys\")" RESET -logAction audit_act-rs_pol_dropstuff

bind lb vserver lb_vsrv_rbg -policyName rs_pol_dropstuff -priority 100 -gotoPriorityExpression END -type REQUEST
 

 

 

 

Link to comment
Share on other sites

This ended up working:

 

http.req.url.path.get(1).set_text_mode(Ignorecase).eq("admin")&&!http.req.url.path.STARTSWITH("/admin/survey")&&!http.req.url.path.STARTSWITH("/admin/resources")

 

Only /admin/survey or /admin/survey/content.html is accessible.  The /admin/resources was needed since it is referenced in the content.html.  Being IIS, I also edited the iisstart.htm landing page to redirect to /admin/survey.

 

All is good.

 

Thanks all for your feedback.

 

Regards

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...