Content Transform

Do you want to take a specific action on HTTP requests based on the criteria, such as user location, header, and IP address? Citrix App Delivery and Security Service – Citrix Managed enables you to respond to HTTP requests depending on the following criteria:

  • Render a different page based on:
    • User’s geographical location.
    • Browser specification.
    • Languages the browser accepts.
    • Order of preference.

Content Transform also helps you to do the following:

  • Drop the connection if the request is from an IP range that can be a suspected DDoS attack or hack attempt.

  • Redirect traffic, respond with custom messages, or manipulate data on HTTP requests or responses.

  • Remove unnecessary HTTP headers, mask internal URLs, redirect webpages, queries, or keywords.

Use content transform in the CADS service to examine the request from the client or response from the server and forward the request depending on the applicable rule. The content transform feature evaluates the data and applies one or more actions based on the evaluation.

Benefits

With content transform, you can do the following:

  • Evaluate any part of the header or body of an HTTP or HTTPS request or response and take the configured action based on evaluation. The content transform enables you to configure more actions. For example, transforming the value of an HTTP header in the request or response.

  • Redirect the request to a secure webpage. For example, while handling sensitive financial data, ensure that the client uses a secure connection to browse a site by redirecting the request to a secure connection. That is, use https:// instead of http://.

  • Show a custom error page instead of the default 404 error page. For example, if you show the home page or site map of the website instead of an error page, the visitor remains on the site instead of moving away from the website.

  • Append the default page name to the URL of a website. For example, if the default page of a company’s website is http://www.abc.com/index.php, when the user types abc.com in the address bar of the browser, you can rewrite the URL to abc.com/index.php.

  • Evaluate basic characteristics of traffic and data. For example, content transform can identify whether an HTTP request or response contains a particular type of header or URL. You can drop a connection or reset a connection at the request level based on the configured rule.

Prerequisites

  1. You have created an environment and a cloud access profile.
  2. You have specified the basic details, such as the name of the application, environment, services, and endpoints by navigating to Applications > New Application. For more information, see Deliver a modern application.

Types of content transform

Citrix App Delivery and Security service supports the following types of content transform:

  • Rewrite

  • Responder

You can select a condition for rewrite and responder. CADS service converts the condition into the rules and binds it to the application. CADS service acts based on the configured condition. For more information, see Create or Select a content transform section.

Rewrite

Rewrite refers to the rewriting of required information in the requests or responses handled by the CADS service. Rewriting can help in providing access to the requested content without exposing unwanted details about the website’s actual configuration.

Rewrite rule is used to identify the HTTP data that you want to modify before serving. The rules are provided for modifying the data.

For example, you can modify the data to mask server information in a response for security purposes.

Actions are the steps CADS service takes, depending on the condition configured in the rule.

For example, if a condition in a rule matches a particular source IP address in a request, the action that is associated with this rule determines whether the connection is permitted.

Rewrite action

A rewrite action indicates changes made to a request or response prior to sending it to a server or client. The type of actions that the CADS service takes are feature specific. For example, in rewrite, actions can replace text in a request.

In CADS service, actions are configurable. After enabling the rewrite feature, you need to configure one or more actions. For example, you can add a local Client-IP header to incoming requests. If you want to insert the client IP from which a request is sent. The rewrite action inserts the HTTP header you specify into the HTTP request or response.

Responder

The responder helps in content filtering functions. The responder rule helps to select the requests to which the CADS service responds. The responder rule is associated with an action, which is performed if a request matches the rule. Responder supports protocols such as TCP, DNS (UDP), and HTTP. With responder enabled in your application, server responses can be based on who sends the request, where it is sent from, and other criteria with security and system management implications. For example, when users request a webpage, you can provide a different page based on the situation. You can drop the connection if the request is coming from an IP range that has been generating DDoS attacks or initiating hacking attempts.

Responder action

CADS service substitutes for and acts as a web server. You must configure one or more responder actions for handling requests. The responder action is used to manually define responses such as, simple HTML-based response, designated error response, and designated HTML page. For example, you can configure the text for a respond action with a web server error code and brief HTML page. You can configure a custom header for a respond action.

The responder redirects the request to a different webpage or web server. For example, A Redirect action can redirect requests originally sent to a “dummy” website that exists in DNS, to an actual website. It can also redirect search requests to an appropriate URL. The redirect action consists of a complete URL.

Conditions

Conditions evaluate the traffic based on the rules, settings, or string match operation that is defined in the rewrite and responder.

The following are the conditions and their corresponding operators and values:

  • HTTP headers: - A common method of evaluating the HTTP traffic is to examine the headers in a request or a response.

A header performs the following functions:

  • Provide cookies that contain data about the sender.
  • Identify the type of data that is being transmitted.
  • Identify the route that the data has traveled (through header).

    • Valid HTTP Request - Identifies the validity of the incoming HTTP request.

    • Valid HTTP Response - Identifies the validity of the generated HTTP response.

    • HTTP Request Method - Identifies an element in the HTTP request or response by using a method in the HTTP request to evaluate HTTP request data.
      • Valid operators: Equals, Not equals.
      • Value: GET, PUT, POST, DELETE.
    • HTTP Request Header - Identifies the HTTP request data to determine if the data contains a specific header.
      • Valid operators: Contains, Exists, Not contains, Not exists.
      • Value: Header Names, Header Value.
    • HTTP Response Header - Identifies the HTTP response data to determine if the data contains a specific header.
      • Valid operators: Contains, Exists, Not contains, Not exists.
      • Value: Header Names, Header Value.
    • HTTP Request Hostname - Identifies the HTTP request data to determine if the data contains a specific host name.
      • Valid operators: Contains, Equals, Startswith, Endswith, Not contains, Not equals, Not startswith, Not endswith.
      • Value: Hostname Values.
    • HTTP Request URL - Identifies an element in the URL portion of an HTTP request.
      • Valid operators: Contains, Equals, Startswith, Endswith, Not contains, Not equals, Not startswith, Not endswith.
      • Value: URL Path.
    • HTTP Request URL Query - Identifies an element in the URL query of an HTTP request.
      • Valid operators: Contains, Equals, Startswith, Endswith, Not contains, Not equals, Not startswith, Not endswith.
      • Value: URL Path.
    • HTTP Request URL Suffix - Identifies an element in the URL suffix of an HTTP request.
      • Valid operators: Contains, Equals, Startswith, Endswith, Not contains, Not equals, Not startswith, Not endswith.
      • Value: URL Suffix Value.
    • Client IP Address - Identifies the client IP address. Identify and return a client IP address in a TCP/IP packet.
      • Valid operators: Between, Equals, Insubnet, Not between, Not equals, Not insubnet.
      • Value: IP Addresses, Subnet IP Addresses, Range Start, Range End.
    • HTTP Request Cookie - Identifies the HTTP request based on its cookie. Identifies almost any type of information in a cookie header Returns the contents of the HTTP Cookie header.
      • Valid operators: Contains, Not contains.
      • Value: Cookie Name, Cookie Value.
    • HTTP Response Status Code - Identifies the response status code from the server.   Returns the response status code.
      • Valid operators: Equals, Not equals, Between, Not between.
      • Value: Response Status Codes, Range Start, Range End.
  • Operators for HTTP Headers – Operators represent actions that match text and HTTP header values with a collection of static strings in the value.
    • Equals- An operation that evaluates whether the condition (target) matches the value (static strings).
    • Contains - An operation that identifies if the string argument appears in any instance of the header value. Evaluates whether the target contains any of the strings that are bound to the value.
    • Startswith - An operation that evaluates whether the target starts with any of the strings that are bound to the value.
    • Endswith - An operation that evaluates whether the target ends with any of the strings that are bound to the value.
    • Exists – An operation that evaluates if a request or response contains a particular object.
    • Between – An operation that matches the individual strings and sets of strings with any portion of a header value. The header value can be an entire string, the start of a string, or any portion of text in between the start and the end of the string.
    • Not between - An operation that evaluates the header value that can be an entire string, the start of a string, or any portion of text that is not between the start and the end of the string.
    • Is valid - An operation that evaluates if a request or response is valid.
    • Insubnet - An operation that evaluates if a request or response is from a particular subnet.
    • Not insubnet - An operation that evaluates if a request or response is not from a particular subnet.
    • Not startswith - An operation that evaluates whether the request or response does not start with any of the strings that are bound to the value.
    • Not endswith - An operation that evaluates whether the request or response does not end with any of the strings that are bound to the value.
    • Not contains - An operation that evaluates if the string argument appears in any instance of the header value. Evaluates whether the request or response contains any of the strings that are not bound to the value.
    • Not equals - An operation that evaluates whether the request or response does not match the value.
    • Not exists - An operation that evaluates if a request or response does not contain a particular object.
  • Value - Value is a parameter specific to an HTTP request or response. Evaluate specific data that the HTTP response or request contains.
    • GET - Retrieves information from the server.
    • PUT - Sends the data to a server to create/update a resource.
    • POST - Submits an entity to the specified resource that causes a change in state or effects on the server.
    • DELETE – Deletes a resource from the server.
    • Query Name - Identifies a specific name that the HTTP request or response contains.
    • URL Path - Identifies a specific segment of a URL that the HTTP request contains.
    • Query Value - Identifies a specific value that the HTTP request or response contains.
    • URL Suffix Value - Identifies a specific suffix value of a URL that the HTTP request contains.
    • Range End - Option to set the highest value of its range.
    • Range Start - Option to set the lowest value of its range.
    • Subnet IP Address - Identifies the specific subnet address.
    • IP Address - Identifies the specific IP address.
    • Header Names - Identifies a specific header name.
    • Header Value - Identifies a specific header value.
    • Hostname Values - Identifies a specific host name value.
    • Response Status Code - Identifies the status code generated by servers.
    • Cookie Values - Identifies a specific cookie header that the HTTP request or response contains.
    • Cookie Name - Identifies a specific cookie name that the HTTP request or response contains.

Create or Select a content transform

The content transform feature of the CADS service examines the request from the client or response from the server, performs action according to the specified rules, and forwards the traffic to the client or the server.

You can create a content transform or select the existing content transform for your service.

Follow these steps to create a content transform.

  1. Navigate to Applications > Content Transform.

  2. In the Deliver an Application page, click Create.

  3. In the Create Content Transform page, type a name in Content Transform Name, create a rewrite rule or a responder rule and click Create.

Follow these steps to select an existing content transform.

  1. Navigate to Applications > Content Transform.

  2. In the Deliver an Application page, click Select.

  3. In the Select Content Transform page, select the required content transform in the list by selecting the check box and click Add.

In a content transform you can create:

  • A rewrite rule.
  • A responder rule.
  • Combination of rewrite and responder rules.

Note:

You can add only one content transform for an application.

Add a rewrite rule

The rewrite feature helps you to rewrite the required information in the requests or responses handled by the CADS service.

Follow these steps to create a content transform using the rewrite:

  1. In Create Content Transform page, select the Rewrite tab.
  2. Click Add Rewrite Transform.
  3. In the Add Rewrite Transform page, enter the following parameters:

    • Rule Name* – Type a unique name for the rewrite rule. The unique name for the rewrite rule. Must begin with a letter, number, or the underscore character (_). Must contain only letters, numbers, and the hyphen (-), period (.) hash (#), space ( ), at (@), equals (=), colon (:), and underscore characters.

    • If the following condition is met – Evaluates the traffic based on condition, settings, or string match operation. This tab corresponds to the rewrite rule. Only if the conditions are met, the rewrite actions are performed. For more information, see Types of content transform section.

    Select the required condition and select or type the corresponding values and operators from the drop-down list. For more information on conditions, operators, and values, see Conditions section.

    Click AND Condition to add more than one condition to the same rule, and configure the required parameters according to the required specification. To remove the added conditions, click the Minimize icon.

    • Then do the following - If the condition is met, then the following configured rewrite actions should be done. For more information on rewrite action, see Types of content transform section. Select the required action and select or type the corresponding value fields such as header value, header name.

      • Forward Client IP with header name X-Forwarded-For - Forwards the HTTP header X-Forwarded-For in an HTTP request with the client’s IP address as its value.

      • Forward Port with header name X-Forwarded-Port - Forwards the HTTP header X-Forwarded-Port in an HTTP request with the client’s port as its value.

      • Forward Protocol with header name X-Forwarded-Proto - Forwards the HTTP header X-Forwarded-Protocol in an HTTP request with the client’s protocol as its value.

      • Insert Custom HTTP Header in Request - A rewrite action to insert a user defined custom HTTP header in a request.

        • Valid Fields: Custom Header Name, Header Value
      • Insert Custom HTTP Header in Response - A rewrite action to insert a user defined custom HTTP Header in a response.

        • Valid Fields: Custom Header Name, Header Value
      • Replace an HTTP Header in Request - A rewrite action to replace an HTTP header in a request.

        • Valid fields: Header Name, Header Value
      • Relace an HTTP Header in Response - A rewrite action to replace an HTTP header in a response.

        • Valid fields: Header Name, Header Value
      • Remove an HTTP Header in Request - A rewrite action to remove an HTTP header in a request.

        • Valid fields: Header Name
      • Remove an HTTP Header in Response - A rewrite action to remove an HTTP header in a response.

        • Valid fields: Header Name
      • Custom Header Name - A string, customized name for the HTTP request or response header.

      • Header Value - Custom header string for HTTP request or response header. For example, for a header name “Strict-Transport-Security”, the value is “max-age=31536000”.

      • Header Name - A string, name for the HTTP request or response header.

      • Replace request URL - A rewrite action to replace the request URL with the specified URL. The CADS service enables you to convert the URL available in the client request to another URL that the back end server can understand. You can achieve the following benefits by using this rewrite feature:
        • Enhances the security by hiding the actual URL to the resource, which is requested by the client.
        • Prevents the unauthorized user access from gaining access to the network resources.

        • Valid fields: Enter URL you like to replace
      • Enter URL you like to replace - The URL that has to be replaced with the request URL. For example, you can change the URLs in the client request temporarily when the website is under maintenance. If the request URL is http://www.example.com in the web browser. You can configure the CADS service to replace the URL in the client request by giving the replacing URL input as http://www.example.com/resource/inventory/s?t=112.

When you select the required condition, the corresponding applicable actions are highlighted in the Rewrite Actions drop-down list, and the not applicable actions are grayed out.

  1. In the Add Rewrite Rule page, after entering the required parameters, click Add.

    The rewrite rule is listed in the Create Content Transform page and displays the following information:

    • Content Transform Name - The content transform name is a unique name for the content transform. Must begin with a letter, number, or the underscore character (_). Must contain only letters, numbers, and the hyphen (-), period (.) hash (#), space ( ), at (@), equals (=), colon (:), and underscore characters.

    Add rewrite rule

  2. Click Create.

    The rewrite rule is listed in the Deliver an Application page. You have completed the steps to create a content transform using the rewrite.

Add a responder rule

The responder helps in content filtering functions. CADS service examines the request from the client, takes action according to the applicable responder rule, sends the response to the client, and closes the connection with the client.

Follow these steps to create a content transform using the responder:

  1. In the Create Content Transform page, select the Responder tab.
  2. Click Add Responder Rule.
  3. In the Add Responder Rule page, enter the following parameters:

    • Rule Name* – Type a unique name for the responder rule. The unique name for the responder rule. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) hash (#), space ( ), at (@), equals (=), colon (:), and underscore characters.

    • If the following condition is met – Evaluates the traffic based on condition, settings, or string match operation. This tab corresponds to the rewrite rule. Only if the conditions are met, the rewrite actions are performed. For more information, see Types of content transform section.

    Select the required condition and select or type the corresponding values and operators from the drop-down list. For more information on conditions, operators, and values, see Conditions section.

    Click AND Condition to add more than one condition to the same rule, and configure the required parameters according to the required specification. To remove the added conditions, click the Minimize icon.

    Note:

    HTTP Response Header is not applicable to the responder rule.

    • Then do the following - If the condition is met, then the following configured rewrite actions are done. For more information on rewrite action, see Types of content transform section. Select the required action and select or type the corresponding value fields such as header value, header name.

      • Redirect to URL - Modify a URL to redirect traffic from URL A to URL B.

        • Valid fields - URL value.

        The URL value can be an absolute value or a relative value. For example, https://www.example.com, modifies the server to which the request is redirected. /index.html, redirects the request to the resource index.html on the existing server that is configured.

      • Drop the request - Drop a connection based on the HTTP request-based parameter.

      • Reset the request - Reset a connection based on the HTTP request or response parameter.

      • Respond with Error - Sends the chosen error response.
        • Valid Fields: Choose the Error. You can choose DEFAULT or CUSTOM.
        • If you choose DEFAULT error, valid fields: Custom Error Message.
        • If you choose CUSTOM error, valid fields: Error Code, Custom Error Message.
      • Choose an Error - Select the error codes provided in the drop-down list to respond with that error code. You can select from the list of DEFAULT errors or select CUSTOM to provide a custom error.

        • Error Code - Provide an appropriate error code for your custom error.

        • Custom Error Message - Send the custom error message by providing an appropriate error message.

      • Respond with an HTML page - Choose an HTML file to respond with a custom message. You can upload the required HTML page. Use this type of action to send the desired HTML page as the response.

        • HTML File - You can upload an HTML page with a custom message during responder run time. Click Upload File to choose the required HTML file.

When you select the required condition, the corresponding applicable actions are highlighted in the Responder Actions drop-down list and the not applicable actions are grayed out.

  1. In the Add Responder Rule page, after entering the required parameters, click Add.

    The responder rule is listed in the Create Content Transform page and displays the following information:

    • Content Transform Name - The content transform name is a unique name for the content transform. Must begin with a letter, number, or the underscore character (_). Must contain only letters, numbers, and the hyphen (-), period (.) hash (#), space ( ), at (@), equals (=), colon (:), and underscore characters.

    Add responder rule

  2. In the Create Content Transform page, click Create.

    The responder rule is listed in the Deliver and Application page. You have completed the steps to create a content transform using the responder.

Bind a service

CADS service enables you to bind the required services to the content transform.

  • In the Deliver an Application page, select the preferred services in the SERVICES drop-down list by selecting the check box.

Bind a service

You can view the selected services in the drop-down list under the Services tab.

Click Next to configure the Security Protection feature. Otherwise, click Deploy.

Edit a content transform

You can edit the characteristics of an HTTP request or response of a content transform such as host name, URL. You can modify the conditions, actions, and corresponding fields.

The Deliver an Application page lists the created content transform with the following details:

  • NAME - Unique name of the content transform.
  • RULES - The rule enables the CADS service to evaluate a piece of traffic or data. For example, a rule can enable the CADS service to determine whether an HTTP request originated from a particular IP address.
  • SERVICES - Denotes the services that are associated with the configured content transform.
  • ACTIONS- Denotes the edit and delete action that is configured for that specific content transform.

Create a content transform

Follow these steps to edit a content transform:

  1. In the Deliver an Application page, click Select.

    The Select Content Tranform page lists the following details:

    • NAME - Unique name of the content transform.
    • RULES - The rule enables the CADS service to evaluate a piece of traffic or data. For example, a rule can enable the CADS service to determine whether an HTTP request originated from a particular IP address.
    • ACTIONS- Denotes the Edit and Delete actions.

Select content transform

  1. Click the Edit icon in the Actions column.
  2. In the Update Content Tranform-<rule name> page, click the Edit icon. You can enable or disable the rewrite rule (in the Rewrite tab) or the responder rule (in the Responder tab) by toggling the STATUS field.
  3. Click Update to save the updates.

Edit a rewrite rule

  1. In the Update Content Tranform- <rule name> page, Rewrite tab, select the required rewrite rule. Click the Edit icon to edit the rewrite condition and rewrite action.
  2. In the Add Rewrite Rule page, modify the required condition, rewrite action, and corresponding fields.
  3. Click Update to save the updates.
  4. Click Update in the Update Content Tranform- <rule name> page.

Update rewrite rule

Edit a responder rule

  1. In the Update Content Transform - <rule name> page, Responder tab, select the required responder rule. Click the Edit icon to edit the responder condition and responder action.
  2. In the Add Responder Rule, modify the required condition, responder action, and corresponding fields.
  3. Click Update to save the updates.
  4. Click Update in the Update Content Tranform- <rule name> page.

Update responder rule

Delete a content transform

Follow these steps to delete a content transform:

  1. Select the required content transform in the Deliver an Application page, and then click the Delete icon in the Actions column.
  2. Click Remove.

    The selected content transform is removed from the application.

Unbind a service

In the Select Content Transform page, click the Delete icon under the ACTIONS column to delete the content transform.

Delete a content transform

Delete a rewrite rule

  1. In the Update Content Transform - <rule name> page, select the required rewrite rule in the Rewrite tab and click the Delete icon in the Actions column.
  2. Click Yes, Delete. Verify that the rewrite rule is removed from the list.

Delete a rewrite rule

Delete a responder rule

  1. In the Update Content Transform - <rule name> page, select the required responder rule in the Responder tab and click the Delete icon in the Actions column.
  2. Click Yes, Delete. Verify that the responder rule is removed from the list.

Delete a responder rule

Content Transform