Manoj Rana1709159835 Posted April 17 Share Posted April 17 Hi, I am trying to setup load blancer for Tomcat and IIS running services. I would like to block access to the main base URL and other URLs like example. HTTPs://tomcat.abc.com (Base URL) /manager/status /manager/html /host-manager/html Thanks Link to comment Share on other sites More sharing options...
Rick Davis Posted April 17 Share Posted April 17 You can setup a list of URLs using the patset AppExpert module. add policy patset block_uri bind policy patset block_uri "/" bind policy patset block_uri "/manager/html" bind policy patset block_uri "/host-manager/html" bind policy patset block_uri "/manager/status" In this example I limited it to just the URI's and will specify the common hostname as part of the AppExpert policy. For security purposes, you may want to drop the session, then use the App Firewall module as follows with the APPFW_DROP. Using a similar configuration with the Responder module will work but precludes Drop and Reset actions. add appfw policy block_list "HTTP.REQ.HEADER(\"HOST\").CONTAINS(\"tomcat.abc.com\") && HTTP.REQ.URL.PATH.EQUALS_ANY(\"block_uri\")" APPFW_DROP Link to comment Share on other sites More sharing options...
Manoj Rana1709159835 Posted April 18 Author Share Posted April 18 Thanks, Rick I will try to use this. The Client is not licensed to App Firewall so I will with responders. Thanks for your help. Manoj Link to comment Share on other sites More sharing options...
Nicola Campaci Posted April 19 Share Posted April 19 (edited) On 4/18/2024 at 8:03 AM, Manoj Rana1709159835 said: Thanks, Rick I will try to use this. The Client is not licensed to App Firewall so I will with responders. Thanks for your help. Manoj Hi Activating the WAF to do this is not the optimal solution. WAF may be unlicensed or there may not be performance requirements to enable the WAF feature. To do what you ask, simple responder/rewrite as per the Citrix documentation are enough https://support.citrix.com/article/CTX459877/how-to-restrict-access-to-certain-urls-via-load-balancing-by-using-rewrite-policy Regards Edited April 19 by Nicola Campaci Link to comment Share on other sites More sharing options...
Manoj Rana1709159835 Posted April 23 Author Share Posted April 23 I just want to check how can I block everything and only allow 2 URL. Example HTTPs://tomcat.abc.com/app1 HTTPs://tomcat.abc.com/app2 using the Responder policy Link to comment Share on other sites More sharing options...
Nicola Campaci Posted April 23 Share Posted April 23 Hi This is your expression: HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/app1").NOT || HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/app2").NOT VIA GUI: VIA CLI: add rewrite policy Drop_all_path_except_app1_app2 "HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/app1\").NOT || HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/app2\").NOT" DROP -comment "Allow only /app1 and /app2" Link to comment Share on other sites More sharing options...
Rick Davis Posted April 23 Share Posted April 23 Good stuff Nicola. Well documented. Please know your expression needs to use AND (&&) rather than OR (||) logic to function correctly. Manoj can test this and other AppExpert expressions with the Expression Evaluator found in the GUI > AppExpert > Expression Evaluator. HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/app1").NOT || HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/app2").NOT should be: HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/app1").NOT && HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/app2").NOT Link to comment Share on other sites More sharing options...
Manoj Rana1709159835 Posted April 25 Author Share Posted April 25 Thank you Rick & Nicola for your help Link to comment Share on other sites More sharing options...
Manoj Rana1709159835 Posted May 9 Author Share Posted May 9 All that working. I wanted to know if I can display a message like this "This webpage cannot be displayed. The URL you entered might be incorrect or blocked." Thanks Link to comment Share on other sites More sharing options...
Solution Nicola Campaci Posted May 9 Solution Share Posted May 9 Yes is possible. Right now your policy has the DROP builtin action. You will need to create a responder policy with same rewrite expression, and a responder action of type "Respond with". You will have to replace the DROP policy with the new responder policy #Add responder action add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\n\r\n\"" #Add responder policy add responder policy respondwith403_all_path_except_app1_app2 "HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/app1\").NOT && HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/app2\").NOT" respondwith403 -comment "Allow only /app1 and /app2" #Remove "DROP" policy from lb unbind lb vserver vipname -policyName Drop_all_path_except_app1_app2 #Add "respondwith" policy to lb bind lb vserver vipname -policyName respondwith403_all_path_except_app1_app2 -priority 100 -gotoPriorityExpression NEXT -type REQUEST Link to comment Share on other sites More sharing options...
Nicola Campaci Posted May 9 Share Posted May 9 35 minutes ago, Nicola Campaci said: Yes is possible. Right now your policy has the DROP builtin action. You will need to create a responder policy with same rewrite expression, and a responder action of type "Respond with". You will have to replace the DROP policy with the new responder policy #Add responder action add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\n\r\n\"" #Add responder policy add responder policy respondwith403_all_path_except_app1_app2 "HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/app1\").NOT && HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/app2\").NOT" respondwith403 -comment "Allow only /app1 and /app2" #Remove "DROP" policy from lb unbind lb vserver vipname -policyName Drop_all_path_except_app1_app2 #Add "respondwith" policy to lb bind lb vserver vipname -policyName respondwith403_all_path_except_app1_app2 -priority 100 -gotoPriorityExpression NEXT -type REQUEST For message in html format: add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\n\r\n\<html><head><title>Custom error page</title></head><body><center><H1>HTTP 403 Forbidden - This webpage cannot be displayed. The URL you entered might be blocked</H1></center></body>\r\n\"" Link to comment Share on other sites More sharing options...
Manoj Rana1709159835 Posted May 10 Author Share Posted May 10 thats great.Thanks again. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now