Jump to content
Welcome to our new Citrix community!

Reverse Proxy for Mobile App - Design Assistance


Skip Miller

Recommended Posts

Goal: Securely Reverse Proxy Mobile App to Web Server Securely (App Authenticates with Token internally) with 

 

1) Transparently Rewrite the URL from External to Internal URLs (public.domain.com to internal.domain.com) (would this be a "transform" policy)

2) Pass through Encoding in both directions without modification (no netscaler compression). 

3) Allow a white list of URL Suffixes and drop all other requests. 

 

What would the recommended design be? Strictly a Load Balancer with policies (transform\rewrite) \ Content Switch or something more complicated... 

(the distinction between  "reverse proxy" and rules based load balancing is a little confusing)  

 

Thanks so much for the help ?

Link to comment
Share on other sites

Hi Skip,

 

I'll get straight to it :):

 

1) Yes this would essentially be done with a transform action. This is actually featured as an example in the docs, which you can find at https://docs.citrix.com/en-us/citrix-adc/13/appexpert/rewrite/rewrite-action-policy-examples/example-12-rewrite-hostname-url-client.html

 

2) Encoding/compression is completely configurable, so if you don't  bind any policies regarding those features, then you won't be bothered by them

 

3) You could do this by creating a pattern set and add your allowed paths to it, then use a responder policy with a drop action and an expression like HTTP.REQ.URL.PATH.CONTAINS_ANY("YourPatternsetName").NOT

 

Which features to use does not only depend on this particular application. In essence a load balancer will suffice, but you could also place a content switch in front of it, e.g. to use that IP for other purposes as well.

 

Hope this helps.

 

Cheers,
G.

Link to comment
Share on other sites

  • 2 weeks later...

Thanks so much for the help. I gave the transform policy a try but I am not sure its actually what is needed in retrospect. When trying the transform above the URL visibly redirects to the new URL (which in this case is not resolvable. 

 

We have an "external.hostname.com" and an "internal.hostname.com"  the internal url is not resolvable from the internet and needs to be (reverse) proxied.  The internet user would enter something like  "external.hostname.com\login" and continue to see the external url while the netscaler proxies this on the back end to "internal.hostname.com\login" . 

 

I came across a discussion (below) that suggest a "Cache Redirection" server which I also attempted: 

- I created an SSL Load Balancer VIP,

- an internal and external map policy

- an SSL reverse proxy Cache Redirection server.

 

However I am unable to complete the instance because I get an error when selecting my default load balancer VIP "PXY and cache protocol should be the same" though they seem to be correct.  Any thoughts on this and\or, are there methods that are transparent to the end user?

 

 

Quote

 

"He need to create two LB's in reverse mode and then create a reverse cache redirection vserver.

Next create map policies and cache polices and bind them to the cache redirection vserver and will then act as reverse proxy"

https://discussions.citrix.com/topic/405953-netscaler-reverse-proxy/

 

 

Link to comment
Share on other sites

Hi Skip,

 

Looking back on my initial reply it seems I linked to a docs article about rewrites. While you might be able to do what you're looking for with rewrites, the correct resource I actually wanted to link to is https://support.citrix.com/article/CTX128091/how-to-change-destination-hostname-of-http-get-request-using-url-transformation-feature. Not sure why I didn't link to this in the first place, might be an oversight on my side, but that would explain why you were not getting the results you wanted to see. 


Cheers!

G.

  • Like 1
Link to comment
Share on other sites

On 6/27/2022 at 2:28 AM, Gunther De Poortere said:

Hi Skip,

 

Looking back on my initial reply it seems I linked to a docs article about rewrites. While you might be able to do what you're looking for with rewrites, the correct resource I actually wanted to link to is https://support.citrix.com/article/CTX128091/how-to-change-destination-hostname-of-http-get-request-using-url-transformation-feature. Not sure why I didn't link to this in the first place, might be an oversight on my side, but that would explain why you were not getting the results you wanted to see. 


Cheers!

G.

Thanks so much for the help. I gave the transform policy a try but I am not sure its actually what is needed in retrospect. When trying the transform above the URL visibly redirects to the new URL (which in this case is not resolvable. 

 

We have an "external.hostname.com" and an "internal.hostname.com"  the internal url is not resolvable from the internet and needs to be (reverse) proxied.  The internet user would enter something like  "external.hostname.com\login" and continue to see the external url while the netscaler proxies this on the back end to "internal.hostname.com\login" . 

 

I came across a discussion (below) that suggest a "Cache Redirection" server which I also attempted: 

- I created an SSL Load Balancer VIP,

- an internal and external map policy

- an SSL reverse proxy Cache Redirection server.

 

However I am unable to complete the instance because I get an error when selecting my default load balancer VIP "PXY and cache protocol should be the same" though they seem to be correct.  Any thoughts on this and\or, are there methods that are transparent to the end user?

 

 

That last suggest was the key. Thanks! 

 

 

Quote

 

"He need to create two LB's in reverse mode and then create a reverse cache redirection vserver.

Next create map policies and cache polices and bind them to the cache redirection vserver and will then act as reverse proxy"

https://discussions.citrix.com/topic/405953-netscaler-reverse-proxy/

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...