Content rules

Do you want to take specific action on HTTP requests based on the criteria, such as user location, header, and IP address? Citrix App Delivery and Security Service – Citrix Managed enables you to respond to HTTP requests depending on the following criteria:

  • Render a different page based on:
    • User’s geographical location.
    • Browser specification.
    • Languages the browser accepts.
    • Order of preference.

Content Rules also help you to do the following:

  • Drop the connection if the request is from an IP range that can be a suspected DDoS attack or hack attempt.

  • Redirect traffic, respond with custom messages, or manipulate data on HTTP requests or responses.

  • Remove unnecessary HTTP headers, mask internal URLs, redirect webpages, queries, or keywords.

Use content rules in Citrix App Delivery and Security Service – Citrix Managed edition to examine the request from the client or response from the server and forward the request depending on the applicable rule. The content rules feature evaluates the data and applies one or more actions based on the evaluation.

Benefits

With content rules, you can do the following:

  • Evaluate any part of the header or body of an HTTP or HTTPS request or response and take the configured action based on evaluation. The content rules enable you to configure more actions. For example, transforming the value of an HTTP header in the request or response.

  • Redirect the request to a secure webpage. For example, while handling sensitive financial data, ensure that the client uses a secure connection to browse a site by redirecting the request to a secure connection. That is, use https:// instead of http://.

  • Show a custom error page instead of the default 404 error page. For example, if you show the home page or site map of the website instead of an error page, the visitor remains on the site instead of moving away from the website.

  • Append the default page name to the URL of a website. For example, if the default page of a company’s website is http://www.abc.com/index.php, when the user types abc.com in the address bar of the browser, you can rewrite the URL to abc.com/index.php.

  • Evaluate basic characteristics of traffic and data. For example, content rules can identify whether an HTTP request or response contains a particular type of header or URL. You can drop a connection or reset a connection at the request level based on the configured rule.

Prerequisites

  1. You have created an environment and a cloud access profile.
  2. You have specified the basic details, such as the name of the application, environment, services, and endpoints by navigating to Applications > New Application. For more information, see Deliver an application.

Types of content rules

Citrix App Delivery and Security service supports the following content rules:

  • Rewrite

  • Responder

You can select a condition for rewrite and responder. Citrix App Delivery and Security Service – Citrix Managed edition converts the condition into the rules and binds it to the application. Citrix App Delivery and Security Service – Citrix Managed acts based on the configured condition. For more information, see Create a content rule section.

Rewrite

Rewrite refers to the rewriting of required information in the requests or responses handled by Citrix App Delivery and Security Service – Citrix Managed edition. Rewriting can help in providing access to the requested content without exposing unwanted details about the website’s actual configuration.

Rewrite rule is used to identify the HTTP data that you want to modify before serving. The rules are provided for modifying the data.

For example, you can modify the data to mask server information in a response for security purposes.

Actions are the steps Citrix App Delivery and Security Service – Citrix Managed edition takes, depending on the condition configured in the rule.

For example, if a condition in a rule matches a particular source IP address in a request, the action that is associated with this rule determines whether the connection is permitted.

Rewrite action

A rewrite action indicates changes made to a request or response prior to sending it to a server or client. The type of actions that Citrix App Delivery and Security Service – Citrix Managed edition takes are feature specific. For example, in rewrite, actions can replace text in a request.

In Citrix App Delivery and Security Service – Citrix Managed edition, actions are configurable. After enabling the rewrite feature, you need to configure one or more actions. For example, you can add a local Client-IP header to incoming requests. If you want to insert the client IP from which a request is sent. The rewrite action inserts the HTTP header you specify into the HTTP request or response.

Responder

The responder helps in content filtering functions. The responder rule helps to select the requests to which Citrix App Delivery and Security Service – Citrix Managed edition responds. The responder rule is associated with an action, which is performed if a request matches the rule. Responder supports protocols such as TCP, DNS (UDP), and HTTP. With responder enabled in your application, server responses can be based on who sends the request, where it is sent from, and other criteria with security and system management implications. For example, when users request a webpage, you can provide a different page based on the situation. You can drop the connection if the request is coming from an IP range that has been generating DDoS attacks or initiating hacking attempts.

Responder action

Citrix App Delivery and Security Service – Citrix Managed edition substitutes for and acts as a web server. You must configure one or more responder actions for handling requests. The responder action is used to manually define responses such as, simple HTML-based response, designated error response, and designated HTML page. For example, you can configure the text for a respond action with a web server error code and brief HTML page. You can configure a custom header for a respond action.

The responder redirects the request to a different webpage or web server. For example, A Redirect action can redirect requests originally sent to a “dummy” website that exists in DNS, to an actual website. It can also redirect search requests to an appropriate URL. The redirect action consists of a complete URL.

Conditions

Conditions evaluate the traffic based on the rules, settings, or string match operation that is defined in the rewrite and responder.

The following are the conditions and their corresponding operators and values:

  • HTTP headers: - A common method of evaluating the HTTP traffic is to examine the headers in a request or a response.

A header performs the following functions:

  • Provide cookies that contain data about the sender.
  • Identify the type of data that is being transmitted.
  • Identify the route that the data has traveled (through header).

    • HTTP Request Method - Identifies an element in the HTTP request or response by using a method in the HTTP request to evaluate HTTP request data.
      • Valid operators: Equals.
      • Value: GET, PUT, POST, DELETE.
    • HTTP Request Header - Identifies the HTTP request data to determine if the data contains a specific header.
      • Valid operators: Contains, Exists.
      • Value: Name, Value.
    • HTTP Response Header - Identifies the HTTP response data to determine if the data contains a specific header.
      • Valid operators: Contains, Exists.
      • Value: Name, Value.
    • HTTP Request Hostname - Identifies the HTP request data to determine if the data contains a specific host name.
      • Valid operators: Contains, Equals, Startswith.
      • Value: Value.
    • HTTP Request URL - Identifies an element in the URL portion of an HTTP request
      • Valid operators: Contains, Equals, Startswith, Endswith.
      • Value: Path.
  • Operators for HTTP Headers – Operators represent actions that match text and HTTP header values with a collection of static strings in the value.
    • Equals- An operation that evaluates whether the condition (target) matches the value (static strings).
    • Contains - An operation that identifies if the string argument appears in any instance of the header value. Evaluates whether the target contains any of the strings that are bound to the value.
    • Startswith - An operation that evaluates whether the target starts with any of the strings that are bound to the value.
    • Endswith - An operation that evaluates whether the target ends with any of the strings that are bound to the value.
    • Exists – An operation that evaluates if a request or response contains a particular object.
  • Value - Value is a parameter specific to an HTTP request or response. Evaluate specific data that the HTTP response or request contains.
    • GET - Retrieves information from the server.
    • PUT - Sends the data to a server to create/update a resource.
    • POST - Submits an entity to the specified resource that causes a change in state or effects on the server.
    • DELETE – Deletes a resource from the server.
    • Name - Identifies a specific name that the HTTP request or response contains.
    • Path - Identifies a specific segment of a URL that the HTTP request contains.

Create a content rule

The content rules feature of Citrix App Delivery and Security Service – Citrix Managed edition examines the request from the client or response from the server, performs action according to the specified rules, and forwards the traffic to the client or the server.

Follow these steps to create a content rule.

  1. Navigate to Applications > Content Rules.

  2. In the Deliver an Application page, click Add Content Rule.

  3. In the Select Content Rule page, click Create Content Rule.

  4. In the Create Content Rule page, type a name in Content Rule Name*.

In a content rule you can create:

  • A rewrite rule.
  • A responder rule.
  • Combination of rewrite and responder rules.

Note:

You can add only one content rule for an application.

Add a rewrite rule

The rewrite feature helps you to rewrite the required information in the requests or responses handled by Citrix App Delivery and Security Service – Citrix Managed edition.

Follow these steps to create a content rule using the rewrite:

  1. In Create Content Rule page, select the Rewrite tab.
  2. Click Add Rewrite Rule.
  3. In the Add Rewrite Rule page, enter the following parameters:

    • Rule Name* – Type a unique name for the rewrite rule. The unique name for the rewrite rule. Must begin with a letter, number, or the underscore character (_). Must contain only letters, numbers, and the hyphen (-), period (.) hash (#), space ( ), at (@), equals (=), colon (:), and underscore characters.

    • IF THE FOLLOWING CONDITION IS MET – Evaluates the traffic based on condition, settings, or string match operation. This tab corresponds to the rewrite rule. Only if the conditions are met, the rewrite actions are performed. For more information, see Types of content rules section.

    Select the required condition and select or type the corresponding values and operators from the drop-down list. For more information on conditions, operators, and values, see Conditions section.

    • THEN DO THE FOLLOWING - If the condition is met, then the following configured rewrite actions should be done. For more information on rewrite action, see Types of Content Rules section. Select the required action and select or type the corresponding value fields such as header value, header name.

      • Forward Client IP with header name X-Forwarded-For - Forwards the HTTP header X-Forwarded-For in an HTTP request with the client’s IP address as its value.

      • Forward Port with header name X-Forwarded-Port - Forwards the HTTP header X-Forwarded-Port in an HTTP request with the client’s port as its value.

      • Forward Protocol with header name X-Forwarded-Proto - Forwards the HTTP header X-Forwarded-Protocol in an HTTP request with the client’s protocol as its value.

      • Insert Custom HTTP Header in Request - A rewrite action to insert a user defined custom HTTP header in a request.

        • Valid Fields: Custom Header Name, Header Value
      • Insert Custom HTTP Header in Response - A rewrite action to insert a user defined custom HTTP Header in a response.

        • Valid Fields: Custom Header Name, Header Value
      • Replace an HTTP Header in Request - A rewrite action to replace an HTTP header in a request.

        • Valid fields: Header Name, Header Value
      • Relace an HTTP Header in Response - A rewrite action to replace an HTTP header in a response.

        • Valid fields: Header Name, Header Value
      • Remove an HTTP Header in Request - A rewrite action to remove an HTTP header in a request.

        • Valid fields: Header Name
      • Remove an HTTP Header in Response - A rewrite action to remove an HTTP header in a response.

        • Valid fields: Header Name
      • Custom Header Name - A string, customized name for the HTTP request or response header.

      • Header Value - Custom header string for HTTP request or response header. For example, for a header name “Strict-Transport-Security”, the value is “max-age=31536000”.

      • Header Name - A string, name for the HTTP request or response header.

    If you want to add more than one condition to the same rule, click AND Condition and configure the required parameters. To remove the added conditions, click the Minimize icon.

  4. In the Add Rewrite Rule page, after entering the required parameters, click Add.

    The rewrite rule is listed in the Create Content Rule page and displays the following information:

    • RULE NAME - The rule name is a string that is used to define each rule with distinct names.
    • ACTION - The steps that Citrix App Delivery and Security Service – Citrix Managed edition takes, depending on the condition configured in the rule.
    • STATUS - Toggle to enable or disable the responder rule.
    • ACTIONS- Denotes the Delete or Edit action that is configured for that specific rewrite rule.

    Add rewrite rule

  5. Click Create.
  6. In the Select Content Rule page, select the created rewrite rule and click Add.

    The rewrite rule is listed in the Deliver an Application page. You have completed the steps to create a content rule using the rewrite.

Add a responder rule

The responder helps in content filtering functions. Citrix App Delivery and Security Service – Citrix Managed edition examines the request from the client, takes action according to the applicable responder rule, sends the response to the client, and closes the connection with the client.

Follow these steps to create a content rule using the responder:

  1. In the Create Content Rule page, select the Responder tab.
  2. Click Add Responder Rule.
  3. In the Add Responder Rule page, enter the following parameters:

    • Rule Name* – Type a unique name for the rewrite rule. The unique name for the rewrite rule. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) hash (#), space ( ), at (@), equals (=), colon (:), and underscore characters.

    • IF THE FOLLOWING CONDITION IS MET – Evaluates the traffic based on condition, settings, or string match operation. This tab corresponds to the rewrite rule. Only if the conditions are met, the rewrite actions are performed. For more information, see Types of content rules section.

    Select the required condition and select or type the corresponding values and operators from the drop-down list. For more information on conditions, operators, and values, see Conditions section.

    Note:

    HTTP Response Header is not applicable to the responder rule.

    • THEN DO THE FOLLOWING - If the condition is met, then the following configured rewrite actions are done. For more information on rewrite action, see Types of Content Rules section. Select the required action and select or type the corresponding value fields such as header value, header name.

      • Redirect to URL - Modify a URL to redirect traffic from URL A to URL B.

        • Valid fields - URL value.

        The URL value can be an absolute value or a relative value. For example, https://www.example.com, modifies the server to which the request is redirected. /index.html, redirects the request to the resource index.html on the existing server that is configured.

      • Drop the request - Drop a connection based on the HTTP request-based parameter.

      • Reset the request - Reset a connection based on the HTTP request or response parameter.

      • Respond with Error - Sends the chosen error response.
        • Valid Fields: Choose the Error. You can choose DEFAULT or CUSTOM.
        • If you choose DEFAULT error, valid fields: Custom Error Message.
        • If you choose CUSTOM error, valid fields: Error Code, Custom Error Message.
      • Choose an Error - Select the error codes provided in the drop-down list to respond with that error code. You can select from the list of DEFAULT errors or select CUSTOM to provide a custom error.

        • Error Code - Provide an appropriate error code for your custom error.

        • Custom Error Message - Send the custom error message by providing an appropriate error message.

    Click AND Condition to add more than one condition to the same rule, and configure the required parameters according to the required specification. To remove the added conditions, click the Minimize icon.

  4. In the Add Responder Rule page, after entering the required parameters, click Add.

    The responder rule is listed in the Create Content Rule page and displays the following information:

    • RULE NAME - The rule name is a string that is used to define each rule with distinct names.
    • ACTION - The steps that Citrix App Delivery and Security Service – Citrix Managed edition takes, depending on the condition configured in the rule.
    • STATUS - Toggle to enable or disable the responder rule.
    • ACTIONS- Denotes the Delete or Edit action that is configured for that specific rewrite rule.

    Add responder rule

  5. In the Create Content Rule page, click Create.
  6. In the Select Content Rule page, select the created responder rule, then click Add.

    The responder rule is listed in the Deliver and Application page. You have completed the steps to create a content rule using the responder.

Bind a Service

Citrix App Delivery and Security Service – Citrix Managed edition enables you to bind the required services to the content rule.

  • In the Deliver an Application page, select the preferred services in the SERVICES drop-down list and then click Apply.

Bind a service

You can view the selected services in the drop-down list under the Services tab.

Click Next to configure the Security Protection feature. Otherwise, click Deploy.

Edit a content rule

You can edit the characteristics of an HTTP request or response of a content rule such as host name, URL, and so on. You can modify the conditions, actions, and corresponding fields.

The Deliver an Application page lists the created content rules with the following details:

  • NAME - Unique name of the content rule.
  • RULES - The rule enables Citrix App Delivery and Security Service – Citrix Managed edition to evaluate a piece of traffic or data. For example, a rule can enable Citrix App Delivery and Security Service – Citrix Managed edition to determine whether an HTTP request originated from a particular IP address.
  • SERVICES - Denotes the services that are associated with the configured content rule.
  • ACTIONS- Denotes the unbind action that is configured for that specific content rule.

Create a content rule

Follow these steps to edit a content rule:

  1. In the Deliver an Application page, click Add Content Rule.

    The Select Content Rule page lists the following details:

    • NAME - Unique name of the content rule.
    • RULES - The rule enables Citrix App Delivery and Security Service – Citrix Managed edition to evaluate a piece of traffic or data. For example, a rule can enable Citrix App Delivery and Security Service – Citrix Managed edition to determine whether an HTTP request originated from a particular IP address.
    • ACTIONS- Denotes the Edit and Delete actions.

Select content rule

  1. Click the Edit icon in the Actions column.
  2. In the Update Content Rule-<rule name> page, click the Edit icon. You can enable or disable the rewrite rule (in the Rewrite tab) or the responder rule (in the Responder tab) by toggling the STATUS field.

  3. Click Update Content Rules to save the update. Verify the updates in the Create Content Rule page.

Edit a rewrite rule

  1. In the Update Content Rule - <rulename> page, Rewrite tab, select the required rewrite rule. Click the Edit icon to edit the rewrite condition and rewrite action.
  2. In the Add Rewrite Rule page, modify the required condition, rewrite action, and corresponding fields.
  3. Click Update.

Update rewrite rule

Edit a responder rule

  1. In the Update Content Rule - <rulename> page, Responder tab, select the required responder rule. Click the Edit icon to edit the responder condition and responder action.
  2. In the Add Responder Rule, modify the required condition, responder action, and corresponding fields.
  3. Click Update.

Update responder rule

Delete a content rule

Follow these steps to delete a content rule:

  1. Select the required content rule in the Deliver an Application page, and then click the unbind icon in the Actions column.
  2. Click Remove.

    The selected content rule is removed from the application.

Unbind a service

Note:

Before you delete the content rule, make sure you unbind it from the service.

In the Select Content Rule page, click the Delete icon under the ACTIONS column to delete the content rule.

Delete a content rule

Delete a rewrite rule

  1. In the Update Content Rules - <rulename> page, select the required rewrite rule in the Rewrite tab and click the Delete icon in the Actions column.
  2. Click Yes, Delete. Verify that the rewrite rule is removed from the list.

Delete a rewrite rule

Delete a responder rule

  1. In the Update Content Rules - <rulename> page, select the required responder rule in the Responder tab and click the Delete icon in the Actions column.
  2. Click Yes, Delete. Verify that the responder rule is removed from the list.

Delete a responder rule

Content rules