Jump to content
Welcome to our new Citrix community!

Parameters for CUSTOM profile


Recommended Posts

Dear All, 

 

I am here again, this time for some parameters which are configured with Custom HTTP profile created on legacy load balancer and those profiles are called under Virtual Servers. We have to replicate same to Netscaler ADC.

 

Tried to create Customer HTTP profile on Netscaler ADC as well, but not able to track any of the below option either in Cusomer HTTP template or with any other options. I understand ...for some options we need to create responder / rewrite policy along with Custom HTTP profile.

 

Request Header Erase (In Legacy LB this is Selected as : "X-Forwarded-Proto")  : This Indicates the name of an HTTP request header that the Netscaler system removes from the client request. Only one header can be removed per Service Group, unless you are using some Netscaler policies.  The Header Erase option works only on headers in HTTP requests from clients to servers. 

 

What is X-Forwarded-Proto :  It is an HTTP Header and is part of the HTTP standard, It is set on each HTTP request by a proxy or load balancer and can be used by a server application to determine what protocol the client used to connect.


1.    Client sends the HTTP request to the Proxy
2.    <Proxy sends the HTTP request to the Server
3.    Server sees that the URL is "http://""
4.    Server sends back 3xx redirect response telling the Client to connect to "https://""
5.    Client sends an HTTPS request to the Proxy
6.    Proxy decrypts the HTTPS traffic and sets the "X-Forwarded-Proto: https"
7.    Proxy sends the HTTP request to the Server
8.    Server sees that the URL is "http://"" but also sees that "X-Forwarded-Proto" is "https" and trusts that the request is HTTPS
9.    Server sends back the requested web page or data

 

Request Header Insert (In Legacy LB this is Selected as : Selected as : "X-Forwarded-Proto: https") :    The Request Header Insert is a string that the system inserts as a header in an HTTP request. If the header exists already, the system does not replace it. For multiple header insertions.

 

 

Insert X-Forwarded-For (In Legacy LB this is Selected as : "Enabled") : When using connection pooling, which allows clients to make use of existing server-side connections, you can insert the X-Forwarded For header with the client IP address into a request. When you configure the BIG-IP system to insert this header, the target server can identify the request as coming from a client other than the client that initiated the connection.


Unknown Method (In Legacy LB this is Selected as :  "Allow") : Specifies the behavior (allow, reject, or pass through) when an unknown HTTP method is parsed.

 

 

Link to comment
Share on other sites

The HTTP profile on the ADC (and TCP profiles) are going to manage various http protocol settings; but you're right it won't handle these header manipulations on their own.

 

 

1) Header Insert:  X-Forwarded-Proto

So your traffic will have to come to either the lb_vsrv_app_http (HTTP:80) or lb_vsrv_app_ssl (HTTPS:443).  Based on which vserver your traffic hits, if you want the ADC to insert this header, then it will be done REQUEST time using a rewrite feature. The services behind the lb vserver will then see which vserver you came from.

 

If the scenarios for when you want the rewrite to occur aren't specific enough they can be adjusted. But Rewrite can insert any header by identifying the header name to insert, and the string to insert there.

 

To insert the header (only if one doesn't already exist):

add rewrite action rw_act_inshdr_PROTO_http insert_http_header X-FORWARDED-PROTO "\"HTTP\""
add rewrite policy rw_pol_inshdr_PROTO_http "!http.REQ.HEADER(\"x-forwarded-for\").EXISTS" rw_act_inshdr_PROTO_http

bind lb vserver lb_vsrv_app_http -policyName rw_pol_inshdr_PROTO_http -priority 100 -gotoPriorityExpression NEXT -type REQUEST
 

add rewrite action rw_act_inshdr_PROTO_https insert_http_header X-FORWARDED-PROTO "\"HTTPS\""
add rewrite policy rw_pol_inshdr_PROTO_https "!http.REQ.HEADER(\"x-forwarded-for\").EXISTS" rw_act_inshdr_PROTO_https

bind lb vserver lb_vsrv_app_ssl -policyName rw_pol_inshdr_PROTO_https -priority 100 -gotoPriorityExpression NEXT -type REQUEST
 

To replace a header with the appropriate value if one is already present:

add rewrite action rw_act_rephdr_PROTO_http insert_http_header X-FORWARDED-PROTO "\"HTTP\""

add rewrite policy rw_pol_rephdr_PROTO_http "http.REQ.HEADER(\"x-forwarded-for\").EXISTS" rw_act_rephdr_PROTO_http
bind lb vserver lb_vsrv_app_http -policyName rw_pol_rephdr_PROTO_http -priority 200 -gotoPriorityExpression NEXT -type REQUEST
 

add rewrite action rw_act_rephdr_PROTO_https insert_http_header X-FORWARDED-PROTO "\"HTTPS\""
add rewrite policy rw_pol_rephdr_PROTO_https "http.REQ.HEADER(\"x-forwarded-for\").EXISTS" rw_act_rephdr_PROTO_https
bind lb vserver lb_vsrv_app_http -policyName rw_pol_rephdr_PROTO_https -priority 200 -gotoPriorityExpression NEXT -type REQUEST
 

We can do rewrite to also delete headers, but if you plan to delete OLD and insert NEW, then just use the REPLACE.

 

Otherwise, the above scenario in your message is not clear.

If a user hits http and you then redirect to https, and then they make a new connect to https and you want to insert in the redirect response that the came from http, we can get the client to insert the x-forwarded-for header in the new request to pass through to the services.

So I based the above answer on you need the header inserted if the users hit the HTTP vserver, insert the http header to send to the destination services.  And insert the HTTPS header when traffic hits the HTTPS vserver to send to the backend services.

 

 

2) Inserting client ip via an X-forwarded-for header

Also a request time rewrite and easy to do. The ADC can insert the header to the backend based on the client IP the adc sees.

If the traffic is going from client --> proxy --> then ADC lb vserver --> service, and you need to insert a new header in addition to what the proxy passes to the adc, we can do that too. Just need more info.

 

add rewrite action rw_act_inshdr_x-forwarded-for insert_http_header X-FORWARDED-FOR client.IP.SRC
add rewrite policy rw_pol_inshdr_x-forwarded-for "!http.REQ.HEADER(\"x-forwarded-for\").EXISTS" rw_act_inshdr_x-forwarded-for

bind lb vserver lb_vsrv_app_http -policyName rw_pol_inshdr_x-forwarded-for -priority 10 -gotoPriorityExpression NEXT -type REQUEST

bind lb vserver lb_vsrv_app_https -policyName rw_pol_inshdr_x-forwarded-for -priority 10 -gotoPriorityExpression NEXT -type REQUEST

 

 

 

 

 

 

Link to comment
Share on other sites

  • 4 months later...
On 7/10/2020 at 4:44 AM, Rhonda Rowland1709152125 said:

The HTTP profile on the ADC (and TCP profiles) are going to manage various http protocol settings; but you're right it won't handle these header manipulations on their own.

 

 

1) Header Insert:  X-Forwarded-Proto

So your traffic will have to come to either the lb_vsrv_app_http (HTTP:80) or lb_vsrv_app_ssl (HTTPS:443).  Based on which vserver your traffic hits, if you want the ADC to insert this header, then it will be done REQUEST time using a rewrite feature. The services behind the lb vserver will then see which vserver you came from.

 

If the scenarios for when you want the rewrite to occur aren't specific enough they can be adjusted. But Rewrite can insert any header by identifying the header name to insert, and the string to insert there.

 

To insert the header (only if one doesn't already exist):

add rewrite action rw_act_inshdr_PROTO_http insert_http_header X-FORWARDED-PROTO "\"HTTP\""
add rewrite policy rw_pol_inshdr_PROTO_http "!http.REQ.HEADER(\"x-forwarded-for\").EXISTS" rw_act_inshdr_PROTO_http

bind lb vserver lb_vsrv_app_http -policyName rw_pol_inshdr_PROTO_http -priority 100 -gotoPriorityExpression NEXT -type REQUEST
 

add rewrite action rw_act_inshdr_PROTO_https insert_http_header X-FORWARDED-PROTO "\"HTTPS\""
add rewrite policy rw_pol_inshdr_PROTO_https "!http.REQ.HEADER(\"x-forwarded-for\").EXISTS" rw_act_inshdr_PROTO_https

bind lb vserver lb_vsrv_app_ssl -policyName rw_pol_inshdr_PROTO_https -priority 100 -gotoPriorityExpression NEXT -type REQUEST
 

To replace a header with the appropriate value if one is already present:

add rewrite action rw_act_rephdr_PROTO_http insert_http_header X-FORWARDED-PROTO "\"HTTP\""

add rewrite policy rw_pol_rephdr_PROTO_http "http.REQ.HEADER(\"x-forwarded-for\").EXISTS" rw_act_rephdr_PROTO_http
bind lb vserver lb_vsrv_app_http -policyName rw_pol_rephdr_PROTO_http -priority 200 -gotoPriorityExpression NEXT -type REQUEST
 

add rewrite action rw_act_rephdr_PROTO_https insert_http_header X-FORWARDED-PROTO "\"HTTPS\""
add rewrite policy rw_pol_rephdr_PROTO_https "http.REQ.HEADER(\"x-forwarded-for\").EXISTS" rw_act_rephdr_PROTO_https
bind lb vserver lb_vsrv_app_http -policyName rw_pol_rephdr_PROTO_https -priority 200 -gotoPriorityExpression NEXT -type REQUEST
 

We can do rewrite to also delete headers, but if you plan to delete OLD and insert NEW, then just use the REPLACE.

 

Otherwise, the above scenario in your message is not clear.

If a user hits http and you then redirect to https, and then they make a new connect to https and you want to insert in the redirect response that the came from http, we can get the client to insert the x-forwarded-for header in the new request to pass through to the services.

So I based the above answer on you need the header inserted if the users hit the HTTP vserver, insert the http header to send to the destination services.  And insert the HTTPS header when traffic hits the HTTPS vserver to send to the backend services.

 

 

2) Inserting client ip via an X-forwarded-for header

Also a request time rewrite and easy to do. The ADC can insert the header to the backend based on the client IP the adc sees.

If the traffic is going from client --> proxy --> then ADC lb vserver --> service, and you need to insert a new header in addition to what the proxy passes to the adc, we can do that too. Just need more info.

 

add rewrite action rw_act_inshdr_x-forwarded-for insert_http_header X-FORWARDED-FOR client.IP.SRC
add rewrite policy rw_pol_inshdr_x-forwarded-for "!http.REQ.HEADER(\"x-forwarded-for\").EXISTS" rw_act_inshdr_x-forwarded-for

bind lb vserver lb_vsrv_app_http -policyName rw_pol_inshdr_x-forwarded-for -priority 10 -gotoPriorityExpression NEXT -type REQUEST

bind lb vserver lb_vsrv_app_https -policyName rw_pol_inshdr_x-forwarded-for -priority 10 -gotoPriorityExpression NEXT -type REQUEST

 

 

Hi Rhonda,

 

Can I add multiple header action into one rewrite policy binded to a LB vserver?

I need to add those settings into my header

  • X-Forwarded-For
  • X-Forwarded-Proto
  • X-Forwarded-Port

This is very NGINX base, but I have been challenged to set this into Citrix ADC. 

 

Thank you for your help

 

Matt

Link to comment
Share on other sites

You would need separate rewrite policies to do separate rewrite actions.

So 3 headers would be 3 policies/3 actions.

 

When you bind these to the vserver, you need to ensure the GoTo expression is NEXT which allows multiple rewrites to apply (as opposed to END which stops processing after first match).

As long as these are separate headers (you can only modify a given header once on a single transaction)

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...