ADC

Policy configuration for HTTP/3 traffic

HTTP/3 uses QUIC transport which is based on UDP. If you had policy expression defined for the HTTP or SSL virtual server that includes TCP policy expressions, it can no longer be used with a HTTP_QUIC virtual server. All other policies that do not have TCP or classic expressions can be bound with a HTTP_QUIC virtual server. For the policies to take effect, you must ensure that the feature policies are bound to the newly added global bind points as per the following.

  • HTTPQUIC_REQ_DEFAULT
  • HTTPQUIC_REQ_OVERRIDE
  • HTTPQUIC_RES_DEFAULT
  • HTTPQUIC_RES_OVERRIDE

Or, the policies can be bound to specific virtual server bind points:

  • REQUEST
  • RESPONSE

For more information, see Bind policy using advanced policy infrastructure topic.

Following are the policies supported for HTTP over QUIC configuration:

  • Responder
  • Rewrite
  • HTTP Compression
  • Integrated Caching
  • Web Application Firewall
  • URL transformation
  • SSL
  • Front end optimization (FEO)
  • AppQoE

Responder policy configuration for HTTP/3 traffic

HTTP over QUIC type virtual servers have responder policy support. However, as QUIC uses UDP as its transport mechanism, TCP based expressions are excluded and UDP based expressions are included.

New or existing policy configurations with TCP expressions cannot be bound to HTTP/3 QUIC virtual servers or HTTP over QUIC global bind points. Instead of TCP expressions, UDP expressions can be included in the policy configurations that are bound to HTTP/3 QUIC virtual servers or HTTP over QUIC bind points.

Add responder action for redirecting URLs

To add a responder action, at the command prompt, type:

add responder action <name> <type> (<target> | <htmlpage>) [-comment <string>] [-responseStatusCode <positive_integer>] [-reasonPhrase <expression>] [-headers <name(value)> ...]
<!--NeedCopy-->

Example:

add responder action redirectURL redirect "\"https://www.citrix.com/\""

Add responder policy

To add a responder policy, at the command prompt, type:

add responder policy <name> <rule> <action> [<undefAction>] [-comment <string>] [-logAction <string>] [-appflowAction <string>]
<!--NeedCopy-->

Example:

add responder policy res-pol "CLIENT.IP.SRC.IN_SUBNET(10.10.10.10/32)" redirectURL

Add responder policy based UDP expression

To add a responder policy based UDP expression, at the command prompt, type:

add responder policy <name> <rule> <action> [<undefAction>] [-comment <string>] [-logAction <string>] [-appflowAction <string>]
<!--NeedCopy-->

Example:

add responder policy redirectCitrixUdp "CLIENT.UDP.DSTPORT.EQ(443)" redirectURL

Bind responder policy based UDP expression with HTTP/3 QUIC based load balancing virtual server

To bind a responder policy based UDP expression to a load balancing virtual server, at the command prompt, type:

bind lb vserver <name>@ ((<serviceName>@   [-weight <positive_integer>] ) | <serviceGroupName>@ |         (-policyName <string>@  [-priority <positive_integer>]  [-gotoPriorityExpression <expression>]  [-type <type>]  [-invoke  (<labelType>  <labelName>) ]  ) | -analyticsProfile <string>@)
<!--NeedCopy-->

Example:

bind lb vserver lb-http3 -policyName redirectCitrixUdp -priority 9 -gotoPriorityExpression END -type REQUEST

Bind responder policy with HTTP/3 QUIC based load balancing virtual server

To bind a responder policy to a load balancing virtual server, at the command prompt, type:

bind lb vserver <name>@ ((<serviceName>@   [-weight <positive_integer>] ) | <serviceGroupName>@ |         (-policyName <string>@  [-priority <positive_integer>]  [-gotoPriorityExpression <expression>]  [-type <type>]  [-invoke  (<labelType>  <labelName>) ]  ) | -analyticsProfile <string>@)
<!--NeedCopy-->

Example:

bind lb vserver lb-http3 -policyName redirectCitrixUdp -priority 10 -gotoPriorityExpression END -type REQUEST

Bind responder policy to HTTP/3 global bind point

To bind a responder policy with the HTTP/3 global bind point, at the command prompt, type:

bind responder global <policyName> <priority>  [<gotoPriorityExpression>] [-type <type>] [-invoke (<labelType>  <labelName>) ] bind responder global redirectCitrixUdp 3 -type HTTPQUIC_REQ_DEFAULT
<!--NeedCopy-->

Example:

bind responder global redirectCitrixUdp 3 -type HTTPQUIC_REQ_DEFAULT

Note:

For more information, see Responder policy documentation.

Rewrite policy configuration for HTTP/3 traffic

HTTP over QUIC type virtual servers have rewrite policy support. However, as QUIC uses UDP as its transport mechanism, TCP based expressions are excluded and UDP based expressions are included.

New or existing policy configurations with TCP expressions cannot be bound to HTTP/3 virtual servers or to the newly added HTTP/3 global bind points. Instead of TCP expressions, UDP expressions can be included in the policy configurations that are bound to HTTP/3 QUIC virtual servers or HTTP over QUIC bind points.

Following are the configuration steps to configure the rewrite policy for HTTP3 over QUIC.

Add rewrite action for HTTP over QUIC

To add rewrite action, at the command prompt, type:

add rewrite action <name> <type> <target> [<stringBuilderExpr>] [-pattern <expression> | -search <expression>] [-refineSearch <expression>] [-comment <string>]
<!--NeedCopy-->

Example:

add rewrite action http3-altsvc-action insert_http_header Alt-Svc q/"h3-29=\":443\"; ma=3600; persist=1"/

Add rewrite policy for HTTP over QUIC

To add a write action, at the command prompt, type:

add rewrite policy <name> <rule> <action> [<undefAction>] [-comment  <string>] [-logAction <string>]
<!--NeedCopy-->

Example:

add rewrite policy http3-altsvc-policy true http3-altsvc-action

Bind rewrite policy to load balancing virtual server of type HTTP/3_QUIC

To bind rewrite policy to the load balancing virtual server, at the command prompt, type:

bind lb vserver <name>@ ((<serviceName>@ [-weight <positive_integer>] ) | <serviceGroupName>@ | (-policyName <string>@ [-priority <positive_integer>] [-gotoPriorityExpression <expression>] [-type <type>] [-invoke (<labelType> <labelName>) ] ) | -analyticsProfile  <string>@)
<!--NeedCopy-->

Example:

bind lb vserver lb-http3 -policyName http3-altsvc-policy -priority 10 -type RESPONSE

Bind rewrite policy to HTTP/3 global bind point

To bind a responder policy with HTTP/3 global bind point, at the command prompt, type:
bind rewrite global <policyName> <priority> [<gotoPriorityExpression>]  [-type <type>] [-invoke (<labelType> <labelName>)]
<!--NeedCopy-->

Example:

bind rewrite global http3-altsvc-policy 3 -type HTTPQUIC_RES_DEFAULT

Note:

For more information, see Rewrite policy documentation.

Compression policy configuration for HTTP/3 traffic

When the Citrix ADC receives an HTTP response from a server, it evaluates the built-in compression policies and any custom compression policies to determine whether to compress the response and, if so, the type of compression to apply. Priorities assigned to the policies determine the order in which the policies are matched against the requests. HTTP over QUIC type virtual servers have compression policy support. However, as QUIC uses UDP as its transport mechanism, TCP based expressions are excluded and UDP based expressions are included. New or existing policy configurations with TCP expressions cannot be bound to HTTP/3 virtual servers or to the newly added HTTP/3 global bind points. Instead of TCP expressions, UDP expressions can be included in the policy configurations that are bound to HTTP/3 QUIC virtual servers or HTTP over QUIC bind points.

Add compression policy

To add compression policy, at the command prompt, type:

add cmp policy <name> -rule <expression> -resAction <string>
<!--NeedCopy-->

Example:

add cmp policy udp_port_cmp_policy -rule "CLIENT.UDP.DSTPORT.EQ(443)" -resAction COMPRESS

Bind compression policy with load balancing virtual server of type HTTP/3_QUIC

To bind URL transformation policy with load balancing virtual server of type HTTP/3_QUIC, at the command prompt, type:

bind lb vserver <name>@ ((<serviceName>@  [-weight <positive_integer>] ) | <serviceGroupName>@ |  (-policyName <string>@  [-priority <positive_integer>]  [-gotoPriorityExpression <expression>]  [-type ( REQUEST | RESPONSE )] [-invoke  (<labelType>  <labelName>) ]  ) |  -analyticsProfile <string>@)
<!--NeedCopy-->

Example:

bind lb vserver lb-http3 -policyName udp_port_cmp_policy -priority 10 -type RESPONSE

Bind compression global to HTTP/3 global bind point

To bind a compression policy with the HTTP/3 global bind point, at the command prompt, type:

bind compression global <policyName> <priority>  [<gotoPriorityExpression>] [-type <type>] [-invoke (<labelType>  <labelName>) ] bind responder global redirectCitrixUdp 3 -type HTTPQUIC_REQ_DEFAULT
<!--NeedCopy-->

Example:

bind cmp global udp_port_cmp_policy -priority 100 -type HTTPQUIC_RES_DEFAULT Global built-in compression policies

After you upgrade your appliance to Citrix ADC release 13.0 build 82.x, the following compression policies will be automatically bound to the HTTP/3 default bind point.

> sho cmp global -type HTTPQUIC_RES_DEFAULT
        Policy Name: ns_adv_nocmp_xml_ie
        Priority: 8700
        GotoPriorityExpression: END
        Type: HTTPQUIC_RES_DEFAULT

        Policy Name: ns_adv_nocmp_mozilla_47
        Priority: 8800
        GotoPriorityExpression: END
        Type: HTTPQUIC_RES_DEFAULT

        Policy Name: ns_adv_cmp_mscss
        Priority: 8900
        GotoPriorityExpression: END
        Type: HTTPQUIC_RES_DEFAULT

        Policy Name: ns_adv_cmp_msapp
        Priority: 9000
        GotoPriorityExpression: END
        Type: HTTPQUIC_RES_DEFAULT

        Policy Name: ns_adv_cmp_content_type
        Priority: 10000
        GotoPriorityExpression: END
        Type: HTTPQUIC_RES_DEFAULT
<!--NeedCopy-->

If not bound, the following commands can be configured through the command prompt and you can configuration on your appliance.

bind cmp global ns_adv_nocmp_xml_ie -priority 8700 -gotoPriorityExpression END -type HTTPQUIC_RES_DEFAULT

bind cmp global ns_adv_nocmp_mozilla_47 -priority 8800 -gotoPriorityExpression END -type HTTPQUIC_RES_DEFAULT

bind cmp global ns_adv_cmp_mscss -priority 8900 -gotoPriorityExpression END -type HTTPQUIC_RES_DEFAULT

bind cmp global ns_adv_cmp_msapp -priority 9000 -gotoPriorityExpression END -type HTTPQUIC_RES_DEFAULT

bind cmp global ns_adv_cmp_content_type -priority 10000 -gotoPriorityExpression END -type HTTPQUIC_RES_DEFAULT

For more information, see Compression policy configuration.

Caching policy configuration for HTTP/3 traffic

The integrated cache provides in-memory storage on the Citrix ADC appliance and serves Web content to users without requiring a round trip to an origin server. For static content, the integrated cache requires little initial setup. After you enable the integrated cache feature and perform basic setup (for example, determining the amount of Citrix ADC appliance memory the cache is permitted to use), the integrated cache uses built-in policies to store and serve specific types of static content, including simple webpages and image files. You can also configure the integrated cache to store and serve dynamic content that is marked as non-cacheable by Web and application servers (for example, database records and stock quotes). HTTP over QUIC type virtual servers have cache policy support. However, as QUIC uses UDP as its transport mechanism, TCP based expressions are excluded and UDP based expressions are included.

New or existing policy configurations with TCP expressions cannot be bound to HTTP/3 virtual servers or to the newly added HTTP/3 global bind points. Instead of TCP expressions, UDP expressions can be included in the policy configurations that are bound to HTTP/3 QUIC virtual servers or HTTP over QUIC bind points.

Add cache content group

To add the cache content group, at the command prompt, type:

add cache contentGroup <name> [-weakPosRelExpiry <secs> | -relExpiry <secs> | -relExpiryMilliSec <msecs> | -absExpiry <HH:MM> ... | -absExpiryGMT <HH:MM> ...] [-heurExpiryParam <positive_integer>] [-weakNegRelExpiry <secs>] [-maxResSize <KBytes>] [-memLimit <MBytes>]…
<!--NeedCopy-->

Example::

add cache contentGroup DEFAULT -maxResSize 500

Add cache policy

To add cache policy, at the command prompt, type:

add cache policy <policyName> -rule <expression> -action <action>  [-storeInGroup <string>] [-invalGroups <string> ...] [-invalObjects <string> ...] [-undefAction ( NOCACHE | RESET )] add cache policy <name> <rule> <profileName> [-comment <string>]  [-logAction <string>]
<!--NeedCopy-->

Example:

add cache policy ctx_doc_pdf -rule "HTTP.REQ.URL.ENDSWITH(\".pdf\")" -action CACHE -storeInGroup DEFAULT

Bind cache policy with load balancing virtual server of type HTTP/3_QUIC

To bind cache policy with load balancing virtual server of type HTTP/3_QUIC, at the command prompt, type:

bind lb vserver <name>@ ((<serviceName>@  [-weight <positive_integer>] ) | <serviceGroupName>@ |  (-policyName <string>@  [-priority <positive_integer>]  [-gotoPriorityExpression <expression>]  [-type ( REQUEST | RESPONSE )] [-invoke  (<labelType>  <labelName>) ]  ) |  -analyticsProfile <string>@)
<!--NeedCopy-->

Example:

bind lb vserver lb-http3 -policyName ctx_doc_pdf -priority 100 -type REQUEST

Bind cache policy global to HTTP/3 global bind point

To bind a cache policy HTTP/3 global bind point:

bind cache global <policy> -priority <positive_integer>  [-gotoPriorityExpression <expression>] [-type <type>] [-invoke (<labelType> <labelName>) ]
<!--NeedCopy-->

Example:

bind cache global ctx_doc_pdf -priority 3 -type HTTPQUIC_REQ_DEFAULT

For more information, see Integrated cache policy configuration.

Global built-in cache policies

After you upgrade your appliance to Citrix ADC release 13.0 build 82.x, the following cache policies will be automatically bound to the HTTP/3 default bind point.

On upgrade to the 13.0 82.x release, the following cache policies are automatically bound to the HTTP/3 default bind point.

> sho cache global -type HTTPQUIC_REQ_DEFAULT
1)      Policy Name: NOPOLICY
        Priority: 185883
        GotoPriorityExpression: USE_INVOCATION_RESULT
        Invoke type: policylabel        Invoke name: _httpquicReqBuiltinDefaults
        Global bindpoint: HTTPQUIC_REQ_DEFAULT

 Done
> sho cache global -type HTTPQUIC_RES_DEFAULT
1)      Policy Name: NOPOLICY
        Priority: 185883
        GotoPriorityExpression: USE_INVOCATION_RESULT
        Invoke type: policylabel        Invoke name: _httpquicResBuiltinDefaults
        Global bindpoint: HTTPQUIC_RES_DEFAULT

<!--NeedCopy-->

After an upgrade, if the policies are not bound, you can use the following commands to manually bind and save the configuration.

add cache policylabel _httpquicReqBuiltinDefaults -evaluates HTTPQUIC_REQ

add cache policylabel _httpquicResBuiltinDefaults -evaluates HTTPQUIC_RES

bind cache policylabel _httpquicReqBuiltinDefaults -policyName _nonGetReq -priority 100

bind cache policylabel _httpquicReqBuiltinDefaults -policyName _advancedConditionalReq -priority 200

bind cache policylabel _httpquicReqBuiltinDefaults -policyName _personalizedReq -priority 300

bind cache policylabel _httpquicResBuiltinDefaults -policyName _uncacheableStatusRes -priority 100

bind cache policylabel _httpquicResBuiltinDefaults -policyName _uncacheableVaryRes -priority 200

bind cache policylabel _httpquicResBuiltinDefaults -policyName _uncacheableCacheControlRes -priority 300

bind cache policylabel _httpquicResBuiltinDefaults -policyName _cacheableCacheControlRes -priority 400

bind cache policylabel _httpquicResBuiltinDefaults -policyName _uncacheablePragmaRes -priority 500

bind cache policylabel _httpquicResBuiltinDefaults -policyName _cacheableExpiryRes -priority 600

bind cache policylabel _httpquicResBuiltinDefaults -policyName _imageRes -priority 700

bind cache policylabel _httpquicResBuiltinDefaults -policyName _personalizedRes -priority 800

bind cache global NOPOLICY -priority 185883 -gotoPriorityExpression USE_INVOCATION_RESULT -type HTTPQUIC_REQ_DEFAULT -invoke policylabel _httpquicReqBuiltinDefaults

bind cache global NOPOLICY -priority 185883 -gotoPriorityExpression USE_INVOCATION_RESULT -type HTTPQUIC_RES_DEFAULT -invoke policylabel _httpquicResBuiltinDefaults

<!--NeedCopy-->

Note:

The first two commands in the list of commands, and the last two commands in the same list, are included for the sake of completeness. You might encounter an error when running the four commands, since the commands are already run at the time of appliance restart. But you can ignore these errors.

URL Transformation policy configuration for HTTP/3 traffic

The URL transformation modifies all URLs in designated requests from an external version seen by outside users to an internal URL seen only by your Web servers and administrators. You can redirect user requests seamlessly, without exposing your network structure to users. You can also modify complex internal URLs that users might find difficult to remember into simpler, more easily remembered external URLs. HTTP over QUIC type virtual servers have cache policy support. However, as QUIC uses UDP as its transport mechanism, TCP based expressions are excluded and UDP based expressions are included. New or existing policy configurations with TCP expressions cannot be bound to HTTP/3 virtual servers or to the newly added HTTP/3 global bind points. Instead of TCP expressions, UDP expressions can be included in the policy configurations that are bound to HTTP/3 QUIC virtual servers or HTTP over QUIC bind points.

Add URL Transform profile

To add a URL transformation profile, at the command prompt, type:

add transform profile <name> [-type URL]
<!--NeedCopy-->

Example:

add transform profile msapps

Add URL Transform action

To add URL transformation action, at the command prompt, type:

add transform action <name> <profileName> <priority> [-state ( ENABLED  | DISABLED )]
<!--NeedCopy-->

Example:

add transform action docx2doc msapps 2

Add URL Transform action

To add URL transform action to replace URL, at the command prompt, type:

add transform action <name> <profileName> <priority> [-state ( ENABLED  | DISABLED )]
<!--NeedCopy-->

Example:

add transform action docx2doc msapps 1

Add URL Transform policy

To add a URL transformation policy, at the command prompt, type:

add transform policy <name> <rule> <profileName> [-comment <string>]  [-logAction <string>]
<!--NeedCopy-->

Example:

add transform policy urltrans_udp "CLIENT.UDP.DSTPORT.EQ(443)" msapps

Bind URL Transform policy with load balancing virtual server of type HTTP/3_QUIC

To bind URL transformation policy with load balancing virtual server of type HTTP/3_QUIC, at the command prompt, type:

bind lb vserver <name>@ ((<serviceName>@  [-weight <positive_integer>] ) | <serviceGroupName>@ |  (-policyName <string>@  [-priority <positive_integer>]  [-gotoPriorityExpression <expression>]  [-type ( REQUEST | RESPONSE )] [-invoke  (<labelType>  <labelName>) ]  ) |  -analyticsProfile <string>@)
<!--NeedCopy-->

Example:

bind lb vs lb-http3 -policyName urltrans_udp -type REQUEST -priority 8

Bind URL transform policy global with HTTP/3 QUIC based load balancing virtual server

To bind a URL transform policy HTTP/3 global bind point, at the command prompt, type:

bind transform global <policyName> <priority>  [<gotoPriorityExpression>] [-type <type>] [-invoke (<labelType>  <labelName>) ]
<!--NeedCopy-->

Example:

bind transform global urltrans_udp 100 -type HTTPQUIC_REQ_DEFAULT

For more information, see URL transformation policy configuration.

Front end optimization (FEO) policy configuration for HTTP/3 traffic

The HTTP protocols that underlie web applications were originally developed to support the transmission and rendering of simple webpages. New technologies such as JavaScript and cascading style sheets (CSS), and new media types such as Flash videos and graphics-rich images, place heavy demands on front-end performance, that is, on performance at the browser level. The Citrix ADC front end optimization (FEO) feature addresses such issues and reduces the load time and render time of webpages.

Note:

HTTP_QUIC _Override/Default_Request Type is not supported for FEO policy global binding.

Add Front end optimization (FEO) action

To add a FEO action, at the command prompt, type:

add feo action <name> [-pageExtendCache] [<cacheMaxage>][-imgShrinkToAttrib] [-imgGifToPng] [-imgToWebp] [-imgToJpegXR] [-imgInline] [-cssImgInline] [-jpgOptimize] [-imgLazyLoad] [-cssMinify] [-cssInline] [-cssCombine] [-convertImportToLink] [-jsMinify] [-jsInline] [-htmlMinify] [-cssMoveToHead] [-jsMoveToEND][-domainSharding <string> <dnsShards> ...] [-clientSideMeasurements]

<!--NeedCopy-->

Example:

add feo action feoact -imgGifToPng -pageExtendCache

Add Front end optimization (FEO) policy

To add a FEO policy, at the command prompt, type:

add feo policy <name> <rule> <action>

Example:

add feo policy udp_feo_img "CLIENT.UDP.DSTPORT.EQ(443)" IMG_OPTIMIZE

Bind FEO policy with load balancing virtual server of type HTTP/3_QUIC

To bind FEO policy with load balancing virtual server of type HTTP/3_QUIC, at the command prompt, type:

bind lb vserver <name>@ ((<serviceName>@   [-weight <positive_integer>] ) | <serviceGroupName>@ |         (-policyName <string>@  [-priority <positive_integer>]  [-gotoPriorityExpression <expression>]  [-type <type>]  [-invoke  (<labelType>  <labelName>) ]  ) | -analyticsProfile <string>@)
<!--NeedCopy-->

Example:

bind lb vserver lb-http3 -policyName udp_feo_img -priority 4 -gotoPriorityExpression END -type REQUEST

Bind FEO policy to HTTP/3 global bind point

To bind a cache policy to the HTTP/3 global bind point, at the command prompt, type:

bind cache global <policy> -priority <positive_integer>  [-gotoPriorityExpression <expression>] [-type <type>] [-invoke (<labelType> <labelName>) ]
<!--NeedCopy-->

Example: bind cache global ctx_doc_pdf -priority 3 -type HTTPQUIC_REQ_DEFAULT

For more information, see Front end optimization policy configuration.

SSL Policy configuration for HTTP/3 traffic

HTTP over QUIC type virtual servers have SSL policy support. However, as QUIC uses UDP as its transport mechanism, TCP based expressions are excluded and UDP based expressions are included. New or existing policy configurations with TCP expressions cannot be bound to HTTP/3 virtual servers or to the newly added HTTP/3 global bind points. Instead of TCP expressions, UDP expressions can be included in the policy configurations that are bound to HTTP/3 QUIC virtual servers or HTTP over QUIC bind points. SSL policies with actions that are supported for TLSv1.3 are only applicable for HTTP/3 bind points or virtual servers.

Add SSL Policy

To add a FEO policy, at the command prompt, type:

add ssl policy <name> -rule <expression> [-action <string>] [-undefAction <string>] [-comment <string>]
<!--NeedCopy-->

Example:

add ssl policy ssl-pol -rule CLIENT.SSL.IS_SSL -action NOOP

Bind SSL Policy to HTTP/3 virtual server

To bind an SSL policy to the HTTP/3 virtual server, at the command prompt:

bind ssl policylabel <labelName> <policyName> <priority> [<gotoPriorityExpression>] [-invoke (<labelType> <labelName>)
<!--NeedCopy-->

Example:

bind ssl vserver lb-http3 -policyName ssl-pol -priority 4 -type REQUEST

Add SSL policy with UDP expression for SSL Policy

To add an SSL policy with UDP expression, at the command prompt:

add ssl policy <name> -rule <expression> [-action <string>] [-undefAction <string>] [-comment <string>]
<!--NeedCopy-->

Example:

add ssl policy ssl_udp_clnt -rule "CLIENT.UDP.DSTPORT.EQ(443)" -action NOOP

Bind SSL Policy with UDP expression to HTTP/3 virtual server

To bind an SSL policy with UDP expression to the HTTP/3 virtual server, at the command prompt, type

bind ssl policylabel <labelName> <policyName> <priority> [<gotoPriorityExpression>] [-invoke (<labelType> <labelName>)
<!--NeedCopy-->

Example:

bind ssl vs lb-http3 -policyName ssl_udp_clnt -priority 8 -type REQUEST

Add SSL policy for CLIENTHELLO bind point for HTTP/3 traffic

To bind SSL policy for CLIENTHELLO bind point for HTTP/3 traffic, at the command prompt, type:

bind ssl policylabel <labelName> <policyName> <priority> [<gotoPriorityExpression>] [-invoke (<labelType> <labelName>)
<!--NeedCopy-->

Example:

add ssl policy ssl-pol-ch -rule "CLIENT.SSL.CLIENT_HELLO.CIPHERS.HAS_HEXCODE(0x1301)" -action RESET

Bind SSL policy to CLIENTHELLO bind point

To bind an SSL policy to the CLIENTHELLO bind point, at the command prompt, type:

bind ssl policylabel <labelName> <policyName> <priority> [<gotoPriorityExpression>] [-invoke (<labelType> <labelName>)
<!--NeedCopy-->

Example:

bind ssl vs lb-http3 -policyName ssl-pol-ch -type CLIENTHELLO_REQ -priority 100

Bind SSL policy to HTTP/3 global bind point

To bind an SSL policy to the HTTP/3 global bind point, at the command prompt, type:

bind cache global <policy> -priority <positive_integer> [-gotoPriorityExpression <expression>] [-type <type>] [-invoke (<labelType> <labelName>) ]

Example:

Following is an example of a DATA policy being bound to a HTTP/3 global bind point:

Bind ssl global -policyName ssl-pol-ch -priority 7 -type HTTPQUIC_DATA_DEFAULT

Note:

Forward action that can be set for CLIENTHELLO bind point for SSL virtual servers is currently not supported for HTTP_QUIC type virtual servers.

Application Firewall Policy configuration for HTTP/3 traffic

HTTP over QUIC type virtual servers have web application firewall policy support. However, as QUIC uses UDP as its transport mechanism, TCP based expressions are excluded and UDP based expressions are included. New or existing policy configurations with TCP expressions cannot be bound to HTTP/3 virtual servers or to the newly added HTTP/3 global bind points. Instead of TCP expressions, UDP expressions can be included in the policy configurations that are bound to HTTP/3 QUIC virtual servers or HTTP over QUIC bind points.

Add Web Application Firewall policy with UDP expression

To add Web Application Firewall policy with UDP expression, at the command prompt:

add appfw policy <name> <rule> <profileName> [-comment <string>] [-logAction <string>]
<!--NeedCopy-->

Example:

add appfw policy appfw_udp "CLIENT.UDP.DSTPORT.EQ(443)" APPFW_BYPASS

Bind log expressions with UDP based expression for Web Application Firewall profile

To bind log expressions with UDP for Web Application Firewall profile, at the command prompt:

Example:

bind appfw profile APPFW_BLOCK -logExpression logexp-1 "CLIENT.UDP.DSTPORT.EQ(443)"

Bind Application Firewall policy with HTTP/3 virtual server

To bind Web Application Firewall policy with HTTP/3 virtual server, at the command prompt:

bind appfw policylabel <labelName> <policyName> <priority> [<gotoPriorityExpression>] [-invoke (<labelType> <labelName>)
<!--NeedCopy-->

Example:

bind lb vs lb-http3 -policyName appfw_udp -priority 3 -type REQUEST

Bind Web Application Firewall policy to HTTP/3 global bind point

To bind a Web Application Firewall policy to the HTTP/3 global bind point, at the command prompt, type:

bind appfw global <policy> -priority <positive_integer>  [-gotoPriorityExpression <expression>] [-type <type>] [-invoke (<labelType> <labelName>) ]
<!--NeedCopy-->

Example:

bind appfw global appfw_udp 100 -type HTTPQUIC_REQ_DEFAULT

AppQoE Policy configuration for HTTP/3 traffic

HTTP over QUIC type virtual servers have AppQoE policy support. However, as QUIC uses UDP as its transport mechanism, TCP based expressions are excluded and UDP based expressions are included. New or existing policy configurations with TCP expressions cannot be bound to HTTP/3 virtual servers or to the newly added HTTP/3 global bind points. Instead of TCP expressions, UDP expressions can be included in the policy configurations that are bound to HTTP/3 QUIC virtual servers or HTTP over QUIC bind points.

Add AppQoE policy with UDP based expression

To add AppQoE policy with UDP expression, at the command prompt:

add AppQoE policy <name> <rule> <profileName> [-comment <string>] [-logAction <string>]
<!--NeedCopy-->

Example:

add appqoe policy appqoe-pol-udp -rule "CLIENT.UDP.DSTPORT.EQ(443)" -action appqoe-act-basic-prhigh

Bind AppQoE policy with HTTP/3 virtual server

To bind the AppQoE policy with the HTTP/3 virtual server, at the command prompt, type:

bind appqoe policylabel <labelName> <policyName> <priority> [<gotoPriorityExpression>] [-invoke (<labelType> <labelName>)
<!--NeedCopy-->

Example:

bind lb vs lb-http3 -policyName appqoe-pol-udp -type REQUEST -priority 3

Bind AppQoE policy to HTTP_QUIC virtual server

To bind AppQoE policy to HTTP_QUIC virtual server, at the command prompt, type:

bind appqoe <policy> -priority <positive_integer>  [-gotoPriorityExpression <expression>] [-type <type>] [-invoke (<labelType> <labelName>) ]
<!--NeedCopy-->

Example:

bind lb vs lb-http3 -policyName appqoe-pol-primd -priority 8 -type REQUEST