ADC

How rewrite works

A rewrite policy consists of a rule and action. The rule determines the traffic on which rewrite is applied and the action determines the action to be taken by the Citrix ADC. You can define multiple rewrite policies. For each policy, specify the bind point and priority.

A bind point refers to a point in the traffic flow at which the Citrix ADC examines the traffic to verify whether any rewrite policy can be applied to it. You can bind a policy to a specific load balancing or content switching virtual server, or make the policy global if you want the policy to be applied to the entire traffic handled by the Citrix ADC. These policies are referred to as global policies.

In addition to the user-defined policies, the Citrix ADC has some default policies. You cannot modify or delete a default policy.

For evaluating the policies, Citrix ADC follows the order mentioned below:

  • Global policies
  • Policies bound to specific virtual servers
  • Default policies

Note: Citrix ADC can apply a rewrite policy only when it is bound to a point.

Citrix ADC implements the rewrite feature in the following steps:

  • The Citrix ADC appliance checks for global policies and then checks for policies at individual bind points.

  • If multiple policies are bound to a bind point, the Citrix ADC evaluates the policies in the order of their priority. The policy with the highest priority is evaluated first. After evaluating each policy, if the policy is evaluated to TRUE (the traffic matches the rule), it adds the action associated with the policy to a list of actions to be performed. A match occurs when the characteristics specified in the policy rule match the characteristics of the request or response being evaluated.

  • For any policy, in addition to the action, you can specify the policy that should be evaluated after the current policy is evaluated. This policy is referred to as the ‘Go to Expression’. For any policy, if a Go to Expression (gotoPriorityExpr) is specified, the Citrix ADC evaluates the Go to Expression policy; it ignores policy with the next highest priority.

    You can specify the priority of the policy to indicate the Go to Expression policy; you cannot use the name of the policy. If you want the Citrix ADC to stop evaluating other policies after evaluating a particular policy, you can set the Go to Expression to ‘END’.

  • After all the policies are evaluated or when a policy has the Go to Expression set as END, the Citrix ADC starts performing the actions according to the list of actions.

For more information about configuring rewrite policies, see “Configuring a Rewrite Policy” and about binding rewrite policies, see “Binding a Rewrite Policy.”

The following figure illustrates how Citrix ADC processes a request or response when the rewrite feature is used.

Figure 1. The Rewrite Process

image

Policy Evaluation

The policy with the highest priority is evaluated first. Citrix ADC does not stop the evaluation of rewrite policies when it finds a match; it evaluates all the rewrite policies configured on the Citrix ADC.

  • If a policy evaluates to TRUE, the Citrix ADC follows the procedure below:
    • If the policy has the Go to Expression set to END, the Citrix ADC stops evaluating all the other policies and starts performing the rewrite.
    • The gotoPriorityExpression can be set to ‘NEXT’, ‘END’, some integer or ‘INVOCATION_LIST’. The value determines the policy with the next priority. The following table shows the action taken by Citrix ADC for each value of the expression.

      Value of the expression Action
      NEXT Policy with the next priority gets evaluated.
      END Evaluation of policies stops.
      <an integer> Policy with specified priority gets evaluated.
      INVOCATION_LIST Goto NEXT or END is applied based on the result of the invocation list.
  • If a policy evaluates to FALSE, the Citrix ADC continues the evaluation in the order of priority.
  • If a policy evaluates to UNDEFINED (cannot be evaluated on the received traffic due to an error), the Citrix ADC performs the action assigned to the UNDEFINED condition (referred to as undefAction) and stops further evaluation of polices.

The Citrix ADC starts the actual rewriting only after the evaluation is complete. It refers to the list of actions identified by policies that are evaluated to TRUE, and starts the rewriting. After implementing all the actions in the list, the Citrix ADC forwards the traffic as required.

Note:

Ensure that the policies do not specify conflicting or overlapping actions on the same part of the HTTP header or body, or TCP payload. When such a conflict occurs, the Citrix ADC encounters an undefined situation and aborts the rewrite.

Rewrite Actions

On the Citrix ADC appliance, specify the actions to be taken such as adding, replacing, or deleting text within the body, or adding, modifying or deleting headers, or any changes in the TCP payload as rewrite actions. For more information about rewrite actions, see Configuring a Rewrite Action.

The following table describes the steps the Citrix ADC can take when a policy evaluates to TRUE.

Action Result
Insert The rewrite action specified for the policy is carried out.
NOREWRITE The request or response is not rewritten. Citrix ADC forwards the traffic without rewriting any part of the message.
RESET The connection is aborted at the TCP level.
DROP The message is dropped.

Note:

For any policy, you can configure the undefaction (action to be taken when the policy evaluates to UNDEFINED) as NOREWRITE, RESET, or DROP.

To use the Rewrite feature, take the following steps:

  • Enable the feature on the Citrix ADC.
  • Define rewrite actions.
  • Define rewrite policies.
  • Bind the policies to a bind point to bring a policy into effect.
How rewrite works