Add content policies

Do you want to take a specific action on HTTP requests based on the criteria, such as user location, header, and IP address? Citrix App Delivery and Security Service – Citrix Managed enables you to respond to HTTP requests depending on the following criteria:

  • Render a different page based on:
    • User’s geographical location.
    • Browser specification.
    • Languages the browser accepts.
    • Order of preference.

Content policies also help you to do the following:

  • Drop the connection if the request is from an IP or IP range that is a suspected malicious user attempting penetration or DDoS attack.

  • Redirect traffic, respond with custom messages, or manipulate data on HTTP requests or responses.

  • Remove unnecessary HTTP headers, mask internal URLs, redirect webpages, queries, or keywords.

Use content policies in the CADS service to examine the request from the client or response from the server and forward the request depending on the applicable rule. The content policies feature evaluates the data and applies one or more actions based on the evaluation.

Benefits

With content policies, you can do the following:

  • Evaluate any part of the header or body of an HTTP or HTTPS request or response and take the configured action based on evaluation. The content policies enable you to configure more actions. For example, transforming the value of an HTTP header in the request or response.

  • Redirect the request to a secure webpage. For example, while handling sensitive financial data, ensure that the client uses a secure connection to browse a site by redirecting the request to a secure connection. That is, use https:// instead of http://.

  • Show a custom error page instead of the default 404 error page. For example, if you show the home page or site map of the website instead of an error page, the visitor remains on the site instead of moving away from the website.

  • Append the default page name to the URL of a website. For example, if the default page of a company’s website is http://www.abc.com/index.php, when the user types abc.com in the address bar of the browser, you can rewrite the URL to abc.com/index.php.

  • Evaluate basic characteristics of traffic and data. For example, content policies can identify whether an HTTP request or response contains a particular type of header or URL. You can drop a connection or reset a connection at the request level based on the configured rule.

Prerequisites

  1. You have created an environment.
  2. You have specified the basic details, such as the name of the application, environment, services, and endpoints by navigating to Applications > New Application. For more information, see Deliver a modern application.

Conditions

Conditions evaluate the traffic based on the rules, settings, or string match operation that is defined in the rewrite and responder.

The following are the conditions and their corresponding operators and values:

  • HTTP headers: - A common method of evaluating the HTTP traffic is to examine the headers in a request or a response.

A header performs the following functions:

  • Provide cookies that contain data about the sender.
  • Identify the type of data that is being transmitted.
  • Identify the route that the data has travelled (through header).

    • Valid HTTP Request - Identifies the validity of the incoming HTTP request.

    • Valid HTTP Response - Identifies the validity of the generated HTTP response.

    • HTTP Request Method - Identifies an element in the HTTP request or response by using a method in the HTTP request to evaluate HTTP request data.
      • Valid operators: Equals, Not equals.
      • Value: GET, PUT, POST, DELETE.
    • HTTP Request Header - Identifies the HTTP request data to determine if the data contains a specific header.
      • Valid operators: Contains, Exists, Not contains, Not exists.
      • Value: Header Names, Header Value.
    • HTTP Response Header - Identifies the HTTP response data to determine if the data contains a specific header.
      • Valid operators: Contains, Exists, Not contains, Not exists.
      • Value: Header Names, Header Value.
    • HTTP Request Hostname - Identifies the HTTP request data to determine if the data contains a specific host name.
      • Valid operators: Contains, Equals, Startswith, Endswith, Not contains, Not equals, Not startswith, Not endswith.
      • Value: Hostname Values.
    • HTTP Request URL - Identifies an element in the URL portion of an HTTP request.
      • Valid operators: Contains, Equals, Startswith, Endswith, Not contains, Not equals, Not startswith, Not endswith.
      • Value: URL Path.
    • HTTP Request URL Query - Identifies an element in the URL query of an HTTP request.
      • Valid operators: Contains, Equals, Startswith, Endswith, Not contains, Not equals, Not startswith, Not endswith.
      • Value: URL Path.
    • HTTP Request URL Suffix - Identifies an element in the URL suffix of an HTTP request.
      • Valid operators: Contains, Equals, Startswith, Endswith, Not contains, Not equals, Not startswith, Not endswith.
      • Value: URL Suffix Value.
    • Client IP Address - Identifies the client IP address. Identify and return a client IP address in a TCP/IP packet.
      • Valid operators: Between, Equals, Insubnet, Not between, Not equals, Not insubnet.
      • Value: IP Addresses, Subnet IP Addresses, Range Start, Range End.
    • HTTP Request Cookie - Identifies the HTTP request based on its cookie. Identifies almost any type of information in a cookie header Returns the contents of the HTTP Cookie header.
      • Valid operators: Contains, Not contains.
      • Value: Cookie Name, Cookie Value.
    • HTTP Response Status Code - Identifies the response status code from the server.   Returns the response status code.
      • Valid operators: Equals, Not equals, Between, Not between.
      • Value: Response Status Codes, Range Start, Range End.
  • Operators for HTTP Headers – Operators represent actions that match text and HTTP header values with a collection of static strings in the value.
    • Equals- An operation that evaluates whether the condition (target) matches the value (static strings).
    • Contains - An operation that identifies if the string argument appears in any instance of the header value. Evaluates whether the target contains any of the strings that are bound to the value.
    • Startswith - An operation that evaluates whether the target starts with any of the strings that are bound to the value.
    • Endswith - An operation that evaluates whether the target ends with any of the strings that are bound to the value.
    • Exists – An operation that evaluates if a request or response contains a particular object.
    • Between – An operation that matches the individual strings and sets of strings with any portion of a header value. The header value can be an entire string, the start of a string, or any portion of text in between the start and the end of the string.
    • Not between - An operation that evaluates the header value that can be an entire string, the start of a string, or any portion of text that is not between the start and the end of the string.
    • Is valid - An operation that evaluates if a request or response is valid.
    • Insubnet - An operation that evaluates if a request or response is from a particular subnet.
    • Not insubnet - An operation that evaluates if a request or response is not from a particular subnet.
    • Not startswith - An operation that evaluates whether the request or response does not start with any of the strings that are bound to the value.
    • Not endswith - An operation that evaluates whether the request or response does not end with any of the strings that are bound to the value.
    • Not contains - An operation that evaluates if the string argument appears in any instance of the header value. Evaluates whether the request or response contains any of the strings that are not bound to the value.
    • Not equals - An operation that evaluates whether the request or response does not match the value.
    • Not exists - An operation that evaluates if a request or response does not contain a particular object.
  • Value - Value is a parameter specific to an HTTP request or response. Evaluate specific data that the HTTP response or request contains.
    • GET - Retrieves information from the server.
    • PUT - Sends the data to a server to create/update a resource.
    • POST - Submits an entity to the specified resource that causes a change in state or effects on the server.
    • DELETE – Deletes a resource from the server.
    • Query Name - Identifies a specific name that the HTTP request or response contains.
    • URL Path - Identifies a specific segment of a URL that the HTTP request contains.
    • Query Value - Identifies a specific value that the HTTP request or response contains.
    • URL Suffix Value - Identifies a specific suffix value of a URL that the HTTP request contains.
    • Range End - Option to set the highest value of its range.
    • Range Start - Option to set the lowest value of its range.
    • Subnet IP Address - Identifies the specific subnet address.
    • IP Address - Identifies the specific IP address.
    • Header Names - Identifies a specific header name.
    • Header Value - Identifies a specific header value.
    • Hostname Values - Identifies a specific host name value.
    • Response Status Code - Identifies the status code generated by servers.
    • Cookie Values - Identifies a specific cookie header that the HTTP request or response contains.
    • Cookie Name - Identifies a specific cookie name that the HTTP request or response contains.

Operations

If the conditions are met, then the configured operations should be done. Select the required operation and the corresponding fields for the required operation.

The following are the operations and their corresponding operators and values:

  • Forward Client IP with header name X-Forwarded-For - Forwards the HTTP header X-Forwarded-For in an HTTP request with the client’s IP address as its value.

  • Forward Port with header name X-Forwarded-Port - Forwards the HTTP header X-Forwarded-Port in an HTTP request with the client’s port as its value.

  • Forward Protocol with header name X-Forwarded-Proto - Forwards the HTTP header X-Forwarded-Protocol in an HTTP request with the client’s protocol as its value.

  • Insert Custom HTTP Header in Request - A rewrite action to insert a user defined custom HTTP header in a request.

    • Valid Fields: Custom Header Name, Header Value
  • Insert Custom HTTP Header in Response - A rewrite action to insert a user defined custom HTTP Header in a response.

    • Valid Fields: Custom Header Name, Header Value
  • Replace an HTTP Header in Request - A rewrite action to replace an HTTP header in a request.

    • Valid fields: Header Name, Header Value
  • Relace an HTTP Header in Response - A rewrite action to replace an HTTP header in a response.

    • Valid fields: Header Name, Header Value
  • Remove an HTTP Header in Request - A rewrite action to remove an HTTP header in a request.

    • Valid fields: Header Name
  • Remove an HTTP Header in Response - A rewrite action to remove an HTTP header in a response.

    • Valid fields: Header Name
  • Custom Header Name - A string, customized name for the HTTP request or response header.

    • Header Value - Custom header string for HTTP request or response header. For example, for a header name “Strict-Transport-Security”, the value is “max-age=31536000”.

    • Header Name - A string, name for the HTTP request or response header.

  • Replace request URL - A rewrite action to replace the request URL with the specified URL. The CADS service enables you to convert the URL available in the client request to another URL that the back end server can understand. You can achieve the following benefits by using this rewrite feature:

    • Enhances the security by hiding the actual URL to the resource, which is requested by the client.

    • Prevents the unauthorized user access from gaining access to the network resources.

    • Valid fields: Enter URL you like to replace.

    • Enter URL you like to replace - The URL that has to be replaced with the request URL. For example, you can change the URLs in the client request temporarily when the website is under maintenance. If the request URL is http://www.example.com in the web browser. You can configure the CADS service to replace the URL in the client request by giving the replacing URL input as http://www.example.com/resource/inventory/s?t=112.

  • Redirect to URL - Modify a URL to redirect traffic from URL A to URL B.

    • Valid fields - URL value.

    The URL value can be an absolute value or a relative value. For example, https://www.example.com, modifies the server to which the request is redirected. /index.html, redirects the request to the resource index.html on the existing server that is configured.

  • Drop the request - Drop a connection based on the HTTP request-based parameter.

  • Reset the request - Reset a connection based on the HTTP request or response parameter.

  • Respond with Error - Sends the chosen error response.
    • Valid Fields: Choose the Error. You can choose DEFAULT or CUSTOM.
    • If you choose DEFAULT error, valid fields: Custom Error Message.
    • If you choose CUSTOM error, valid fields: Error Code, Custom Error Message.

    • Choose an Error - Select the error codes provided in the drop-down list to respond with that error code. You can select from the list of DEFAULT errors or select CUSTOM to provide a custom error.

    • Error Code - Provide an appropriate error code for your custom error.

    • Custom Error Message - Send the custom error message by providing an appropriate error message.
  • Respond with an HTML page - Choose an HTML file to respond with a custom message. You can upload the required HTML page. Use this type of action to send the desired HTML page as the response.

    • HTML File - You can upload an HTML page with a custom message during responder run time. Click Upload File to choose the required HTML file.

Create or Select a content policy

The content policies feature of the CADS service examines the request from the client or response from the server, performs action according to the specified rules, and forwards the traffic to the client or the server.

You can create a content policy or select an existing content policy for your service.

Follow these steps to create a content policy.

  1. Navigate to Applications > Content Policies.

  2. In the Deliver an Application page, click Create.

  3. In the Create Content Policy page, type a unique name for the content policy in Name, create a rule and click Create.

Follow these steps to select an existing content policy.

  1. Navigate to Applications > Content Policies.

  2. In the Deliver an Application page, click Select.

  3. In the Select Content policies page, select the required content policy in the list by selecting the check box and click Add.

In a content policy you can create:

  • A rewrite rule.
  • A responder rule.
  • Combination of rewrite and responder rules.

Note:

You can add only one content policy for an application.

Add a rule

By adding a rule, you can do the following:

  • Rewrite the required information in the requests or responses handled by the CADS service.
  • Content filtering functions. CADS service examines the request from the client, takes action according to the applicable rule, sends the response to the client, and closes the connection with the client.

Follow these steps to create a content policy by adding the rules:

  1. In Create Content Policy page, click Add Rule.
  2. In the Add Rule page, enter the following parameters:

    • Rule Name* – Type a unique name for the rule. Must begin with a letter, number, or the underscore character (_). Must contain only letters, numbers, and the hyphen (-), period (.) hash (#), space ( ), at (@), equals (=), colon (:), and underscore characters.

    • If the following condition is met – Evaluates the traffic based on condition, settings, or string match operation. This tab corresponds to the rule. Only if the conditions are met, the actions are performed. Select the required condition and select or type the corresponding values and operators from the drop-down list. For more information on conditions, operators, and values, see Conditions section.

    Click AND Condition to add more than one condition to the same rule, and configure the required parameters according to the required specification. To remove the added conditions, click the Minimize icon.

    • Then do the following - If the conditions are met, then the configured operations are done. For more information on operations, see Operations section. Select the required operation and select or type the corresponding value fields such as header value, header name.

When you select the required condition, the corresponding applicable operations are highlighted in the drop-down list, and the not applicable actions are grayed out.

  1. In the Add Rule page, after entering the required parameters, click Add.

    The created rule is listed in the Create Content Policy page and displays the following information:

    • Name - The content policy name is a unique name for the content policy. Must begin with a letter, number, or the underscore character (_). Must contain only letters, numbers, and the hyphen (-), period (.) hash (#), space ( ), at (@), equals (=), colon (:), and underscore characters.

    • Order - The rules are run in the order in which they are listed. The rules with the responder operation category are always performed first. You can change the order of the rules with the same combination of traffic flow and operation category.

    • Traffic Flow - There are two types of Traffic Flow.

      • Request - The direction of the traffic flow which is the request from client forwarded to the server or the CADS service.
      • Response - The direction of the traffic flow which is the response from the server or the CADS service to the client.
    • Operation Category - There are two types of Operation category.

      • Rewrite - Rewrite refers to the rewriting of required information in the requests or responses handled by the CADS service. Rewriting can help in providing access to the requested content without exposing unwanted details about the website’s actual configuration. Rewrite is used to identify the HTTP data that you want to modify before serving. For example, you can modify the data to mask server information in a response for security purposes.
      • Responder - The responder helps in content filtering functions. The responder helps to select the requests to which the CADS service responds. The responder is associated with an action, which is performed if a request matches the rule. Responder supports protocols such as TCP, DNS (UDP), and HTTP. With responder enabled in your application, the CADS service responds on behalf of the server.server responses can be based on who sends the request, where it is sent from, and other criteria with security and system management implications. For example, when users request a webpage, you can provide a different page based on the situation. You can drop the connection if the request is coming from an IP range that has been generating DDoS attacks or initiating hacking attempts.
    • RULE NAME - Unique name of the rule.
    • OPERATION - The list of actions that are performed when the conditions are met.
    • ENABLED - Enable or disable the rule by toggling the ENABLED field.
    • ACTIONS - Denotes the edit and delete action that is configured for that specific content policy.

    Add rule

  2. Click Create.

    The rule is listed in the Deliver an Application page. You have completed the steps to create a content policy.

Bind a service

CADS service enables you to bind the required services to the content policy.

  • In the Deliver an Application page, select the preferred services in the SERVICES drop-down list by selecting the check box.

Bind a service

You can view the selected services in the drop-down list under the Services tab.

Click Next to configure the Security Protection feature. Otherwise, click Deploy.

Edit a content policy

You can edit the characteristics of an HTTP request or response of a content policy such as host name, URL. You can modify the conditions, actions, and corresponding fields.

The Deliver an Application page lists the created content policy with the following details:

  • NAME - Unique name of the content policy.
  • RULES - The rule enables the CADS service to evaluate a piece of traffic or data. For example, a rule can enable the CADS service to determine whether an HTTP request originated from a particular IP address.
  • SERVICES - Denotes the services that are associated with the configured content policy.
  • ACTIONS- Denotes the edit and delete action that is configured for that specific content policy.

Create a content policy

Follow these steps to edit a content policy:

  1. In the Deliver an Application page, click Select.

    The Select Content policies page lists the following details:

    • NAME - Unique name of the content policy.
    • RULES - The rule enables the CADS service to evaluate a piece of traffic or data. For example, a rule can enable the CADS service to determine whether an HTTP request originated from a particular IP address.
    • ACTIONS- Denotes the Edit and Delete actions.

Select a content policy

  1. Click the Edit icon in the Actions column.
  2. In the Update Content policy-<rule name> page, click the Edit icon.
  3. Click Update to save the updates.

Edit a rule

  1. In the Update Content Policy- <rule name> page, select the required rule. Click the Edit icon to edit the condition and action.
  2. In the Add Rule page, modify the required condition, action, and corresponding fields.
  3. Click Update to save the updates.
  4. Click Update in the Update Content Policy- <rule name> page.

Update rule

Delete a content policy

Follow these steps to delete a content policy:

  1. Select the required content policy in the Deliver an Application page, and then click the Delete icon in the Actions column.
  2. Click Remove.

    The selected content policy is removed from the application.

Unbind a service

In the Select Content policies page, click the Delete icon under the ACTIONS column to delete the content policy.

  1. Click Delete.

    The selected content policy is removed from the application.

Delete a content policy

Delete a rule

  1. In the Update Content Policy - <rule name> page, select the required rule and click the Delete icon in the Actions column.
  2. Click Delete. Verify that the rule is removed from the list.

Delete a rule

Add content policies