Jump to content
Welcome to our new Citrix community!

URL Transformation


Khurram Noor

Recommended Posts

Hi Experts,


I am stuck in an issue which i am looking to get some help on either using URL transformation or rewrite. Scenario is …there is a single URL and only URL which client would req. i.e. https://rae_analytics.domain.ext which is a VIP on NetScaler and maps to backend (172.29.100.150) which is listening on URL https://rae-computational-vip.domain.int 
 
I thought this would be easy to tackle until I saw redirects which https://rae-computational-vip.domain.int does to any req. that comes to it.
 
This is how it works internally…and the client expects it work the same way externally.
 
===============================================================================================================================================================================================
This internal URL https://rae-computational-vip.domain.int sends user for authentication to https://fgp-auth-rae.domain.int
 
Once the user authenticates, he gets redirected back to https://fq-ui-rae.domain.int And from there it can go to any of the URLs below based on the links he would click on 
 
Basically it’s like this as I imagine: https://rae-computational-vip.domain.int-> https://fgp-auth-rae.domain.int-> https://fq-ui-rae.domain.int
 
And then from here, anywhere below
 
https://fgp-console-rae.domain.int
https://fgp-grafana-rae.domain.int
https://fgp-api-rae.domain.int
https://fgp-dashboard-rae.domain.int
 
All of the above internal URL resolve back to the same backend IP 172.29.100.150 which is a Kubernetes cluster VIP. 
 
Unfortunately, I have been tasked to accomplish it on an outdated NetScaler v10.5, hence I can’t open a tac case to get help from Citrix. 
 
Attached is the http live capture… 
 
At the moment I am trying something like below but it didn’t work …even if it does work …. there are multiple URL that needs to translate back to one URL which is making me think how multiple action inside the transform profile be able to differentiate between them. Would I need one to one mapping between URL to make it work…probably this is not what client would want ☹

 

!

add transform action rewrite_act01_raeanalytics rewrite_pro_raeanalytics 100
set transform action rewrite_act01_raeanalytics -priority 100 -reqUrlFrom "rae_analytics.domain.ext/(.*)" -reqUrlInto "rae-computational-vip.domain.int/$1" -resUrlFrom "rae-computational-vip.domain.int/(.*)" -resUrlInto "rae_analytics.domain.ext/$1" -cookieDomainFrom domain.ext -cookieDomainInto domain.int

!

 

Reg.

fgp_302_redirect.txt

Link to comment
Share on other sites

OK, i also tried with rewrite bind to the Lbserver as below: still cant seem to work,

 

Policy -> Rewrite->Request

add rewrite action rewrite_host_hdr_act01_req replace "HTTP.REQ.HEADER(\"Host\")" "\"fgp-ui-rae.domain.ext\""
add rewrite policy rewrite_host_hdr_pol01_req "HTTP.REQ.HEADER(\"Host\").CONTAINS(\"rae_analytics.domain.int\") "rewrite_host_hdr_act01_req

 

Policy -> Rewrite->Respond

add rewrite action rewrite_host_hdr_act02_res replace "HTTP.RES.HEADER(\"Host\")" "\"rae_analytics.domain.int\""
add rewrite policy rewrite_host_hdr_pol02_res "HTTP.RES.HEADER(\"Host\").CONTAINS(\"fgp-ui-rae.domain.ext\") "rewrite_host_hdr_act02_res

 

Link to comment
Share on other sites

I'm having trouble understanding the exact scenario you are trying to accomplish and when you say it didn't work, what doesn't work? 1) no rewrite at all was performed or 2) it was performed but not correct?

 

You're mentioning both redirects and rewrites that need to occur, but when you say it redirects for authentication are you referring to a lb vserver integrated with AAA authentication vserver?

If its not authentication vserver integration, then are responder policies in use?

IF so, do you want the rewrites occuring before or after the authentication phase?  (Whicn in some cases we might not be able to adjust)

or are you only rewriting the urls for the final destination urls?

 

When planning URL Transform (or complicated rewrites):

- Clearly define what your request-time client-side url patterns are and what they need to be mapped to server-side. If instead a user makes a request to "x" and you want to send them a redirect to "y" and they make a new request to new location, then this is not rewrites it is responder.

- We need to note if there are any other responder/aaa integrations

- For the other websites what rewrites or redirects do you want to occur

- And we just need to be sure when do you want a rewrite or transform done so the client does not see the change in url vs. a redirect where the client does?  That's going to affect the features in use.

- Will you be using content switching for the kubernetes services based resources AND what redirects or rewrites do you need for them. Or should they be ignored and only the first reference you made needs to be modified.

 

 

A couple of quick thoughts:

With regular rewrite policies (not url transform), your response time rewrite is not a header rewrite its a body rewrite for urls embedded in the response body.  (This is what the response time url transform does).  The request time rewrite affects the request url.

 

Responder policies run before rewrite and url transform. So if it is in use it may affect what we are trying to do.

Back in 10.5, I don't recall the order of AAA processing vs. responder.  In 11.1 and later (or 12.0 and later AAA runs before responder, BUT there is way to bind responder before AAA processing.)  Rewrites still run much later (as do URL Transforms).  

So, depending on what you are actually trying to accomplish there may be things we can't adjust because of the build you are on.

 

Does the external config which is working also involve AAA authentication vservers and url transforms?  Outside of the kubernetes services, is anything else making the internal result different than the external behavior?

 

Link to comment
Share on other sites

Hi Rhonda Rowland.

 

First of all thanks for your time and putting all these question out. I will try to answer to the best of my knowledge.

 

1. what doesn't work? 1) no rewrite at all was performed or 2) it was performed but not correct?

   - the URL transformation doesnt work, although i see hits on the policies i have made.

 

2. You're mentioning both redirects and rewrites that need to occur, but when you say it redirects for authentication are you referring to a lb vserver integrated with AAA authentication vserver?

 - the redirects are done by the internal kubernates cluster VIP to itself, as it has multiple URLs. The authentication service is internal to the kurbernates, and not like an AAA authentication vserver on the NetScaler.

 

3.  If its not authentication vserver integration, then are responder policies in use?

  - No responsder policies are used.

 

4. IF so, do you want the rewrites occuring before or after the authentication phase?  (Whicn in some cases we might not be able to adjust)

or are you only rewriting the urls for the final destination urls?

 - intention was to use transform URLs (rewrite option was only tried, but looks like it doesnt work) on the destination.

 

5. - Clearly define what your request-time client-side url patterns are and what they need to be mapped to server-side. If instead a user makes a request to "x" and you want to send them a redirect to "y" and they make a new request to new location, then this is not rewrites it is responder.

- External URL which user can resolve is rae_analytics.domain.ext which needs to be transformed to fgp-ui-rae.domain.int. once the kurbernates cluster recieve this requests, it redirects client to authenticate to fgp-auth-rae.domain.int URL. In my case, i was trying to map rae_analytics.domain.ext to both fgp-ui-rae.domain.int and fgp-auth-rae.domain.int.

 

6. We need to note if there are any other responder/aaa integrations

 - No AAA integration was requested in this deployment. The requirment was to proxy everything from client to the kubernates cluster via NetScaler.

 

7.  For the other websites what rewrites or redirects do you want to occur

 - As mentioned above, i was trying to map rae_analytics.domain.ext to both fgp-ui-rae.domain.int and fgp-auth-rae.domain.int. The rest of the URL path should stay the same after fqdn.

 

8. we just need to be sure when do you want a rewrite or transform done so the client does not see the change in url vs. a redirect where the client does? 

 - Thats perfectly fine, we dont need client to see the internal fqdn, however the URL path can still be visible to them..... no issues.

 

9. Will you be using content switching for the kubernetes services based resources AND what redirects or rewrites do you need for them. Or should they be ignored and only the first reference you made needs to be modified.

 - At the moment, i was trying this only with a single virtual server with transform policy. I may extend (if this works) to use content switching vserver with dedicated URLs to forward traffic to specific lb vservers, each having a different transform policy attached.

 

10. Does the external config which is working also involve AAA authentication vservers and url transforms?  

- No AAA vservers involved, only URL transformation 

 

11. Outside of the kubernetes services, is anything else making the internal result different than the external behavior?

-  I am not sure if i understand this question.

 

 

Can you direct, if there is a way to see what is happening to a request coming to the NetScaler vserver having a URL transformation policy attached. As i mentioned, i do see the policy is getting hits, but where to check what the policy is actually doing with the request? i assume policy hit means that it is getting a matching request, but i am not sure why an action is not happening in it. I tried NS trace, but it given empty capture files.... 

Capture1.JPG

Capture2.JPG

Capture3.JPG

Capture4.JPG

Capture5.JPG

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...