Jump to content
Welcome to our new Citrix community!

Globally bound responder policy to block specific URL


Davide Bono

Recommended Posts

Hello,

I am trying to create a globally bound policy to restrict access to  a specific URL on all our websites  (/Admin) 

I have a couple of questions:


- could this policy expression work for the purpose?     

HTTP.REQ.URL.PATH.GET(1).EQ(\"Admin\")     

or    http.req.url.path.get(1).set_text_mode(ignorecase).eq("admin")  

 

The action would be DROP 

 

 

 

- if I bind the policy globally, will this override/delete all  the policies that already exists on the virtual servers?

 

Thank you in advance

Link to comment
Share on other sites

20 hours ago, Davide Bono said:

Hello,

I am trying to create a globally bound policy to restrict access to  a specific URL on all our websites  (/Admin) 

I have a couple of questions:


- could this policy expression work for the purpose?     

HTTP.REQ.URL.PATH.GET(1).EQ(\"Admin\")     

or    http.req.url.path.get(1).set_text_mode(ignorecase).eq("admin")  

 

The action would be DROP 

 

 

 

- if I bind the policy globally, will this override/delete all  the policies that already exists on the virtual servers?

 

Thank you in advance

 

Yes, your expression should work. I would go with the second option (ignorecase).

It will not delete existing vserver policies. If you bind as global override it will take precedence over vserver level policies (be processed before). If you bind simply as global (not override) the vserver level policies will be processed first.

 

Hope it helps.

  • Like 1
Link to comment
Share on other sites

22 hours ago, Marcelo Oguma de Souza1709152865 said:

 

Yes, your expression should work. I would go with the second option (ignorecase).

It will not delete existing vserver policies. If you bind as global override it will take precedence over vserver level policies (be processed before). If you bind simply as global (not override) the vserver level policies will be processed first.

 

Hope it helps.

 

Thank you very much Marcelo!

 

Would this policy block also https:\\demo.domain.com/Home/Admin and other subdirectories ?  I need to block requests to */Admin  and this is the expression I am trying to use   

HTTP.REQ.URL.PATH.GET(1).SET_TEXT_MODE(IGNORECASE).EQ("admin")

Link to comment
Share on other sites

On 8/31/2023 at 5:16 AM, Davide Bono said:

Would this policy block also https:\\demo.domain.com/Home/Admin and other subdirectories ?  I need to block requests to */Admin  and this is the expression I am trying to use   

HTTP.REQ.URL.PATH.GET(1).SET_TEXT_MODE(IGNORECASE).EQ("admin")

 

No. It will not block URLS with format: https://<fqdn>/<other>/Admin

http.req.url.path matches:  /<other>/Admin

http.req.url.path.get(1) matches the first path element:  <other>

http.req.url.path.get(2) matches the second path element:  Admin

 

First, do you want to block path "/<anything>/Admin"

Or are you trying to account for varying FQDNs:  https://<fqdn>/Admin/<otherstuff>

Which would affect the path.get(#) options.

 

Example 1:

Create a responder policy to drop/reset/ or redirect traffic based on expression:

http.req.url.path.get(2).set_text_mode(ignorecase).eq("Admin")

 

You can combine with or without FQDN depending on if you bind globally or per vserver.

 

Other variants, could be to use regex based on expressions.

 

Alternate example 2:

If you want to block any reference to an Admin directory anywhere in URL path, without worrying about whether it is first or second,

you could also try:

http.req.url.path.set_text_mode(ignorecase).contains("/Admin")

For this example, you may in fact want the leading slash "/".

 

 

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...