Jump to content
Welcome to our new Citrix community!

Whitelist Policy on Citrix


yusuf rifqi

Recommended Posts

Hi, I need a help.

 

So, I want to create a policy for my Virtual Server. The objective is to block if the users access via Virtual IP and allow access via FQDN only

But, this Virtual Server has 2 domain on it, the following description 

 

VS_Example  (VIP 10.10.10.10)

domain : - www.example1.com

                 - www.example2.com

 

What is the best policy (Rewrite or Responder) to create?

Thank You.

Link to comment
Share on other sites

Hello,

 

As Carl mentioned, you need a responder for this purpose. 

 

Responder Action = Reset/Drop (i like reset better as it will send a reset back to the client closing the connection immediately and could be useful in the future as reset would contain ADC error code indicating it was refused due to responder policy).

Policy expression: 

  • HTTP.REQ.HOSTNAME.EQ("www.example1.com").NOT || HTTP.REQ.HOSTNAME.EQ("www.example2.com").NOT
  • HTTP.REQ.HOSTNAME.EQ("VIP")

Hope this helps

Link to comment
Share on other sites

13 hours ago, Roman Dario Lemes Gonzalez said:

Hello,

 

As Carl mentioned, you need a responder for this purpose. 

 

Responder Action = Reset/Drop (i like reset better as it will send a reset back to the client closing the connection immediately and could be useful in the future as reset would contain ADC error code indicating it was refused due to responder policy).

Policy expression: 

  • HTTP.REQ.HOSTNAME.EQ("www.example1.com").NOT || HTTP.REQ.HOSTNAME.EQ("www.example2.com").NOT
  • HTTP.REQ.HOSTNAME.EQ("VIP")

Hope this helps

Thanks Roman Dario, i''ll try it first.

Link to comment
Share on other sites

You have two conflicting expressions up there between Carl's and Roman's recommendations :)

 

If this was a positive assertion and you wanted to BLOCK either URL1 or URL2, so a blacklist example where responder engages for either URL you would use an expression like:

A || B

Example:  http.req.hostname.eq("www.example1.com") || http.req.hostname.eq("www.example2.com")

 

But since you want a negative assertion where you want the Responder Policy HIT to be TRUE only when the URL is NOT on the whitelist, you need to invert the logic:

The opposite of (A||B) is (!A && !B)   and it can also be expressed as !(A || B)

 

So to have the RESPONDER policy DROP any URL NOT on your whitelist, you want the policy expression TRUE when it is not one of your allowed URLs.

Therefore you need the && and not the ||

To whitelist hostname www.example1.com and www.example2.com and block anything without the required FQDNs:  (any of the following do the same thing)

!http.req.hostname.eq("www.example1.com") && !http.req.hostname.eq("www.example2.com")

http.req.hostname.eq("www.example1.com").not && http.req.hostname.eq("www.example2.com").not

!(http.req.hostname.eq("www.example1.com") || http.req.hostname.eq("www.example2.com"))

 

If you need to see the logic, it is below. If you didn't need this, you can disregard.

 

So policy result example using the first expression:

Your responder policy is set to DROP/REDIRECT etc for this condition:  !http.req.hostname.eq("www.example1.com") && !http.req.hostname.eq("www.example2.com")

meaning when the expression is TRUE

  • Example 1: user goes to https://www.example1.com/<stuff>
    • For clause !A && !B:  A is true, B is false, therfore final expression is !(true) && !(false), which is true && false, which is an overall FALSE - no policy hit occurs, and traffic is allowed (valid hostname on whitelist)
  • Example 2:  user goes to https://www.example2.com/<stuff>
    • For clause !A && !B: A is false, B is true.  therefore final expression is FALSE - again, no policy hit occurs and traffic is allowed (valid hostname on whitelist)
  • Example 3:  user goes to https://www.example3.com/<stuff> which is not on whitelist...
    • For clause !A && !B:  A is false, B is false. which makes the final expression TRUE - policy hit will occur as the hostname is NOT on the whitelist

 

For users connecting by VIP, you can also easily redirect them by name as well.

Definitely use responder and not rewrite for this though.

 

 

Link to comment
Share on other sites

10 hours ago, Rhonda Rowland1709152125 said:

You have two conflicting expressions up there between Carl's and Roman's recommendations :)

 

If this was a positive assertion and you wanted to BLOCK either URL1 or URL2, so a blacklist example where responder engages for either URL you would use an expression like:

A || B

Example:  http.req.hostname.eq("www.example1.com") || http.req.hostname.eq("www.example2.com")

 

But since you want a negative assertion where you want the Responder Policy HIT to be TRUE only when the URL is NOT on the whitelist, you need to invert the logic:

The opposite of (A||B) is (!A && !B)   and it can also be expressed as !(A || B)

 

So to have the RESPONDER policy DROP any URL NOT on your whitelist, you want the policy expression TRUE when it is not one of your allowed URLs.

Therefore you need the && and not the ||

To whitelist hostname www.example1.com and www.example2.com and block anything without the required FQDNs:  (any of the following do the same thing)

!http.req.hostname.eq("www.example1.com") && !http.req.hostname.eq("www.example2.com")

http.req.hostname.eq("www.example1.com").not && http.req.hostname.eq("www.example2.com").not

!(http.req.hostname.eq("www.example1.com") || http.req.hostname.eq("www.example2.com"))

 

If you need to see the logic, it is below. If you didn't need this, you can disregard.

 

So policy result example using the first expression:

Your responder policy is set to DROP/REDIRECT etc for this condition:  !http.req.hostname.eq("www.example1.com") && !http.req.hostname.eq("www.example2.com")

meaning when the expression is TRUE

  • Example 1: user goes to https://www.example1.com/<stuff>
    • For clause !A && !B:  A is true, B is false, therfore final expression is !(true) && !(false), which is true && false, which is an overall FALSE - no policy hit occurs, and traffic is allowed (valid hostname on whitelist)
  • Example 2:  user goes to https://www.example2.com/<stuff>
    • For clause !A && !B: A is false, B is true.  therefore final expression is FALSE - again, no policy hit occurs and traffic is allowed (valid hostname on whitelist)
  • Example 3:  user goes to https://www.example3.com/<stuff> which is not on whitelist...
    • For clause !A && !B:  A is false, B is false. which makes the final expression TRUE - policy hit will occur as the hostname is NOT on the whitelist

 

For users connecting by VIP, you can also easily redirect them by name as well.

Definitely use responder and not rewrite for this though.

 

 

Hi Rhonda Rowland,

Thanks a lot for your explanation!

 

So I decided to use this kind of expression :

 

"http.req.hostname.eq("www.example1.com").not && http.req.hostname.eq("www.example2.com").not"   

 

but I don't know it is running as expected or not cause currently in the testing. I'll update about it.

 

Once again, Thanks.

Link to comment
Share on other sites

Also, as a reminder, equals is a case-sensitive comparison on the ADC. So, it will be affected by www.example1.com vs www.EXAMPLE1.com, unless you make it case-insensitive.  And I forgot to include this in my expression above:  http.req.hostname.set_text_mode(ignorecase).eq("www.example1.com").not etc...

 

It should work, but if you have issues - feel free to post back.

 

You should be able to have three test cases:

1) http://www.example1.com/<somevalid url path>  (or https:// if your vserver is SSL)

2) http://www.example2.com/<somevalid path>

These two should result in no responder policy hit and the page being delivered.

3) http://<VIP1>/<somevalud url path>

This should result in a responder policy hit.

 

If you are using a DROP action, the browser will time out.

If you use a REDIRECT, then you should see your request redirect to the name you specified.  You can use a browser tool to confirm the 302 redirect on the first request. 

Or you can use RESPOND WITH IMPORT page you can give yourself an error page or a response to say "responder did this."

 

 

 

 

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...