Jump to content
Welcome to our new Citrix community!

I need to return a 403 forbidden when certain criteria is matched


Recommended Posts

In summary I have these two entries in the "App Expert"

 

add responder action http_403_forbidden respondwith q{"HTTP/1.1 403 Forbidden\r\nContent-Type: text/html;charset=utf-8\r\nContent-Length: 10\r\n\r\n403 Forbidden\r\n"}

 

add responder policy SITE_JCM-403 "HTTP.REQ.HOSTNAME.REGEX_MATCH(re%.*-myapp\\host\\.com$%) && HTTP.REQ.URL.PATH.REGEX_MATCH(re%^/v[0-9]+/.*%).NOT" http_403_forbidden

 

What I am expecting is that when the hostname is matched and the url path of (regex) /v[0-9]+/<anything> is NOT matched the ADC returns a 403 , for examples a url starting with /v1/something.html is valid but a url /something.html should get the 403 response.

 

Am I on the right track with this??

 

Link to comment
Share on other sites

Yes, you are on the right path. If a traffic hits vserver meeting this criteria, the responder policy can responde in this case with your custom 403 message (as opposed to a 301/302 redirect or a custom web response).

 

So, just a few quick tweaks to the custom response and maybe the regex, if needed:

Your 403 action, might need an extra final terminating \r\n as the end of the header section is a double \r\n\r\n and the end of the body section is also a double \r\n\r\n.

add responder action http_403_forbidden respondwith q{"HTTP/1.1 403 Forbidden\r\nContent-Type: text/html;charset=utf-8\r\nContent-Length: 10\r\n\r\n403 Forbidden\r\n\r\n"}

 

For the regex, it looks right BUT you might be able to tweak it. Test to make sure.

REGEX operations are more expensive then regular before string/after string/eq/contains policy expressions. But if needed they can definitely be used.

 

I'm going to confirm your logic though:

Are you sure you need to match on hostname? and not just whether the path is valid/invalid?

The reason I ask, if your not careful you only block the paths when the hostname is used and not an ip (meaning they still get in).  IF you filter the path only (regardless of hostname) it will always block and you won't have an exemption. 

If this is the hostname for all traffic on this lb vserver, then the hostname doesn't need to be part of the traffic and you can filter solely based on the path missing the required element.

 

If you need to filter traffic to this fqdn but not others on the same vserver, then content switching might be better (or separate lb vservers).

 

The regex looks in the ballpark, but it might need some tweaking.  I can't test it right now.

 

 

 

Link to comment
Share on other sites

  • 1 year later...

Hi!

 

I adjusted the expression Rhonda posted a bit (a bit longer content-length, because with 10 it just produces "Forbid")

 add responder action http_403_forbidden respondwith q{"HTTP/1.1 403 Forbidden\r\nContent-Type: text/html;charset=utf-8\r\nContent-Length: 10\r\n\r\n403 Forbidden\r\n\r\n"} 

This seems to work ok with browser, but if I do a HTTP GET with Postman, I'm getting "Could not get response, Error: aborted". This is with 13.0-85.19.

 

I got a proper response also in Postman on 12.1-64.17 with the following responder action:

add responder action rsp_act_403notallowed respondwith "\"HTTP/1.1 403 Forbidden\n\n\"+ \" 403 Forbidden\""

But with 13.0-85.19 it doesn't work.

 

I'm using Postman to verify that the properly formatted 403 response is generated also for API access and such. Ideas?

Link to comment
Share on other sites

Don't specify a content length unless you need one.  They are optional; but if provided the length must be exact. If longer than your response, the browser will hang waiting for it.

You may want a connection:close header though.  Simplify your headers to see if you get different results.

 

Try a web browser first.  Then see if postman is making pure web requests or something different.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...