Jump to content
Welcome to our new Citrix community!

Re-write policy issues from 12.1 to 13.0/13.1

Josh Slaney

Recommended Posts


I have a simple re-write policy that was implemented at the Override Global>HTTP Response level.   This policy worked great in 12.1 code.  Once I upgraded from 12.1 to 13.0/13.1 code it no longer works.  The purpose of this policy is to effectively insert an http header into a response if it doesn't exist.


add rewrite action HEADER-CONTENT_SECURITY_POLICY insert_http_header Content-Security-Policy "\"frame-ancestors \'self\'\""


This worked great with 12.1 code for both GW VIP and a CS VIP. I have a couple of scenarios I've tested. But after upgrade to 13.0 this policy seems to no longer be effective.


1. Directly to a GW VIP  - rewrite doesn't work properly.

2. Traffic through a CS VIP--->GW VIP - rewrite doesn't work properly.


I changed the policy from "HTTP.RES.HEADER(\"Content-Security-Policy\").EXISTS.NOT" to "true" and I'm getting different results:

1. Directly to a GW VIP  - rewrite still doesn't work properly.

2. Traffic through a CS VIP--->GW VIP - rewrite works properly.


I don't quite understand why the traffic through the CS VIP is working with "true" but not with the "HTTP.RES.HEADER(\"Content-Security-Policy\").EXISTS.NOT".  Is there an alternative way I could implement a global re-write to insert this header if it doesn't exist?  Citrix support has said for the GW VIP that the re-write should be done at the AAA VIP level attached to the GW VIP. I still am not getting good results with that either.  



Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...