Block access to the main base URL

[Manoj Rana1709159835]

 

Hi,

I am trying to setup load blancer for Tomcat and IIS running services.

I would like to block access to the main base URL and other URLs like example.

HTTPs://tomcat.abc.com (Base URL)

/manager/status

/manager/html

/host-manager/html

Thanks

 

[Rick Davis]

You can setup a list of URLs using the patset AppExpert module.

add policy patset block_uri
bind policy patset block_uri "/" 
bind policy patset block_uri "/manager/html" 
bind policy patset block_uri "/host-manager/html" 
bind policy patset block_uri "/manager/status" 

In this example I limited it to just the URI's and will specify the common hostname as part of the AppExpert policy.

For security purposes, you may want to drop the session, then use the App Firewall module as follows with the APPFW_DROP.  Using a similar configuration with the Responder module will work but precludes Drop and Reset actions.   

add appfw policy block_list "HTTP.REQ.HEADER(\"HOST\").CONTAINS(\"tomcat.abc.com\") && HTTP.REQ.URL.PATH.EQUALS_ANY(\"block_uri\")" APPFW_DROP

 

[Manoj Rana1709159835]

Thanks, Rick

I will try to use this. 

The Client is not licensed to  App Firewall so I will with responders.

Thanks for your help. 

Manoj

 

[Nicola Campaci]

On 4/18/2024 at 8:03 AM, Manoj Rana1709159835 said:

Thanks, Rick

I will try to use this. 

The Client is not licensed to  App Firewall so I will with responders.

Thanks for your help. 

Manoj

 

Hi
Activating the WAF to do this is not the optimal solution. WAF may be unlicensed or there may not be performance requirements to enable the WAF feature.
To do what you ask, simple responder/rewrite as per the Citrix documentation are enough

https://support.citrix.com/article/CTX459877/how-to-restrict-access-to-certain-urls-via-load-balancing-by-using-rewrite-policy 

Regards

Edited April 19 by Nicola Campaci

[Manoj Rana1709159835]

I just want to check how can I block everything and only allow 2 URL.

Example

 

HTTPs://tomcat.abc.com/app1

HTTPs://tomcat.abc.com/app2

using the Responder policy 

[Nicola Campaci]

Hi

This is your expression:

HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/app1").NOT || HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/app2").NOT

VIA GUI:

VIA CLI:

add rewrite policy Drop_all_path_except_app1_app2 "HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/app1\").NOT || HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/app2\").NOT" DROP -comment "Allow only /app1 and /app2"

 

[Rick Davis]

Good stuff Nicola. Well documented.   Please know your expression needs to use AND (&&) rather than OR (||) logic to function correctly.    
Manoj can test this and other AppExpert expressions with the Expression Evaluator found in the GUI > AppExpert > Expression Evaluator.

 

HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/app1").NOT || HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/app2").NOT

should be:

HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/app1").NOT && HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/app2").NOT

 

 

[Manoj Rana1709159835]

Thank you Rick & Nicola for your help

[Manoj Rana1709159835]

All that working.

 

I wanted to know if I can display a message like this "This webpage cannot be displayed. The URL you entered might be incorrect or blocked."

 

Thanks 

 

[Nicola Campaci]

Yes is possible.

Right now your policy has the DROP builtin action. 
You will need to create a responder policy with same rewrite expression, and a responder action of type "Respond with". 
You will have to replace the DROP policy with the new responder policy

 

#Add responder action
add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\n\r\n\""

#Add responder policy 
add responder policy respondwith403_all_path_except_app1_app2 "HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/app1\").NOT && HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/app2\").NOT" respondwith403 -comment "Allow only /app1 and /app2"

#Remove "DROP" policy from lb 
unbind lb vserver vipname -policyName Drop_all_path_except_app1_app2

#Add "respondwith" policy to lb
bind lb vserver vipname -policyName respondwith403_all_path_except_app1_app2 -priority 100 -gotoPriorityExpression NEXT -type REQUEST

 

 

[Nicola Campaci]

 

35 minutes ago, Nicola Campaci said:

Yes is possible.

Right now your policy has the DROP builtin action. 
You will need to create a responder policy with same rewrite expression, and a responder action of type "Respond with". 
You will have to replace the DROP policy with the new responder policy

 

#Add responder action
add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\n\r\n\""

#Add responder policy 
add responder policy respondwith403_all_path_except_app1_app2 "HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/app1\").NOT && HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/app2\").NOT" respondwith403 -comment "Allow only /app1 and /app2"

#Remove "DROP" policy from lb 
unbind lb vserver vipname -policyName Drop_all_path_except_app1_app2

#Add "respondwith" policy to lb
bind lb vserver vipname -policyName respondwith403_all_path_except_app1_app2 -priority 100 -gotoPriorityExpression NEXT -type REQUEST

 

 

For message in html format:

add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\n\r\n\<html><head><title>Custom error page</title></head><body><center><H1>HTTP 403 Forbidden - This webpage cannot be displayed. The URL you entered might be blocked</H1></center></body>\r\n\""

 

[Manoj Rana1709159835]

thats great.Thanks again.