Site icon BLOGS

Rewrite for Citrix ADC

by Mani Kumar

What is Rewrite?

Rewrite refers to the rewriting of some information in the Citrix ADC appliance’s requests or responses. Rewriting can assist in providing access to the requested content while avoiding exposing unnecessary details about the actual configuration of the Web site. The following are a few examples of when the rewrite feature comes in useful:


Consider the payload as a raw stream of bytes when rewriting TCP payloads. Each virtual server that manages TCP connections must be of the TCP or SSL TCP type. TCP rewrite refers to the rewriting of TCP payloads that are not HTTP data. Any part of the TCP payload can be added, modified, or deleted in TCP traffic.

How rewrite works
A rewrite policy is made up of a rule and an action. The rule specifies the traffic to which the rewrite is applied, and the action specifies the action taken by the Citrix ADC. Multiple rewrite policies can be defined. Set the bind point and priority for each policy.

A bind point is a point in the traffic flow where the Citrix ADC examines the traffic to determine whether it can be rewritten. A policy can be bound to a specific load balancing or content switching virtual server, or it can be made global if you want the policy to apply to all traffic handled by the Citrix ADC.

These policies are known as global policies. The Citrix ADC has some default policies in addition to user-defined policies. A default policy cannot be changed or deleted.

Citrix ADC evaluates policies in the following order:


It should be noted that Citrix ADC can only apply a rewrite policy when it is bound to a point.


Citrix ADC implements the rewrite feature as follows:


In addition to the action, you can specify the policy that should be evaluated after the current policy is evaluated for any policy. This is known as the ‘Go to Expression’ policy. If a Go to Expression (gotoPriorityExpr) policy is specified for any policy, the Citrix ADC evaluates the Go to Expression policy and ignores the policy with the next highest priority.

To indicate the Go to Expression policy, you can specify the policy’s priority; you cannot use the policy’s name. Set the Go to Expression to ‘END’ if you want the Citrix ADC to stop evaluating other policies after evaluating a specific policy.

After all policies have been evaluated, or when a policy’s Go to Expression is set to END, the Citrix ADC begins performing the actions on the list of actions. The diagram below represents how Citrix ADC processes a request or response when the rewrite feature is enabled.

Rewrite
As rewrite actions, specify the actions to be taken on the Citrix ADC appliance, such as adding, replacing, or deleting text within the body, or adding, modifying, or deleting headers, or any changes in the TCP payload. See Configuring a Rewrite Action for more information on rewrite actions.

The table below describes the actions that the Citrix ADC can take when a policy evaluates to TRUE.

Action Result
InsertThe rewrite action specified for the policy is carried out.
NOREWRITEThe request or response is not rewritten. Citrix ADC forwards the traffic without rewriting any part of the message.
RESETThe connection is aborted at the TCP level.
DROPThe message is dropped.
Custom ActionYou can create the action according to the requirement.

To use the Rewrite feature, take the following steps:



Binding a Rewrite Policy

You must bind a rewrite policy after creating it in order for it to take effect. If you want to apply your policy to all traffic that passes through your Citrix ADC, you can bind it to Global, or you can bind it to a specific virtual server or bind point to direct only that virtual server or bind point’s incoming traffic to that policy.

If an incoming request matches a rewrite policy, the policy’s associated action is performed. Rewrite policies for evaluating HTTP requests and responses can be bound to HTTP or SSL virtual servers, or to the REQ OVERRIDE, REQ DEFAULT, RES OVERRIDE, and RES DEFAULT bind points. TCP rewrite policies can only be bound to virtual servers of type TCP or SSL TCP, or to the bind points OTHERTCP REQ OVERRIDE, OTHERTCP REQ DEFAULT, OTHERTCP RES OVERRIDE, and OTHERTCP RES DEFAULT.

Note: The term OTHERTCP refers to all TCP or SSL TCP requests and responses that you want to treat as a raw stream of bytes regardless of the protocols that the TCP packets encapsulate in the context of the Citrix ADC appliance. You assign a priority to a policy when you bind it. The order in which the policies you define are evaluated is determined by the priority. The priority can be set to any positive integer. Policy priorities in the Citrix ADC operating system work in reverse order – the higher the number, the lower the priority.

For example, if you have three policies with priorities of 10, 100, and 1000, the policy with priority 10 is applied first, followed by the policy with priority 100, and finally the policy with priority 1000. The rewrite feature, unlike most other features in the Citrix ADC operating system, continues to evaluate and implement policies after a request matches a policy.

The effect of a specific action policy on a request or response, on the other hand, will frequently differ depending on whether it is performed before or after another action. Priority is essential for achieving the desired results. By setting priorities with intervals of 50 or 100 between each policy when you bind it, you can leave yourself plenty of room to add other policies in any order and still have them evaluate in the order you want. If you do this, you will be able to add new policies at any time without having to re-assign the priority of an existing policy. When you bind a rewrite policy, you can also assign a goto expression (gotoPriorityExpression) to the policy. A goto expression can be any positive integer that corresponds to the priority assigned to a different policy that is higher in priority than the policy containing the goto expression. If a goto expression is assigned to a policy and a request or response matches the policy, the Citrix ADC will immediately go to the policy whose priority matches the goto expression. It will not evaluate any policies that have priority numbers that are lower than the current policy but higher than the priority number of the goto expression.


Rewrite

Lab Environment Overview: To demonstrate the Citrix ADC rewrite policy, I created a lab environment in which I performed the necessary steps to configure the Citrix ADC rewrite policy.

SERVER LIST:

FQDNIP AddressDescription
ad.abc.com192.168.x.xDomain Controller
adc.abc.com192.168.x.101Citrix ADC
webgoat.abc.com172.21.10.x1Web Server lb_vsrv_rbg ( Load Balancer )

In This environment, we have two web application node for WebGoat website. We already configured load balancing on Citrix ADC for web Application Webgoat1 and webgoat2 and our load balancer FQDN is webgoat.abc.com and Load Balancer IP 172.21.10.x1

Step 1: View the default page (“/”) on website

Open a web browser and find http://172.21.10.X1/  (open your website)

Step 2: open http://172.21.10.X1/ (Open your website)


Note: we want to set home.php page as landing page for user.

Step 3: Connect to Primary ADC:

Open Google Chrome and connect to Primary ADC using NSIP https://192.168.30.x. Log on using the credentials.

Step 4: Create a Rewrite action that will replace the URL path to “/home.php”:

Browse to AppExpert > Rewrite > Actions.

Click Add.


Step 5: Create a rewrite policy to replace the original URL only when users access the default path (“/”).

Step 6: Bind the rewrite policy to web server

Click Policy Manager.

Select the bind point for lb_vsrv_rbg for HTTP Request-time traffic:
• Select Load Balancing Virtual Server from the Bind Point field.
• Select HTTP from the Protocol field.
• Select REQUEST from the Connection Type field.
• Select lb_vsrv_rbg from the Virtual Server field.

* Click Continue


Bind the policy to this bind point:


Step 6: Verifying the rewrite policy

Browse to http://172.21.10.X1/

Verify that content for /home.php is displayed

Client make a request for (“/”) page but Citrix ADC modifies the request sent to the server and fetches “/home.php”.

Exit mobile version