Rewrite HTTP headers for rewrite content transform

Citrix App Delivery and Security service – Citrix Managed edition, content transform feature enables rewrite of information in requests or responses from the client or the server. Rewriting provides access to the requested content without showing unnecessary details about the website’s actual configuration. Following are a few scenarios in which the rewrite is useful:

  • Improve Security. You can rewrite all the http:// to https:// in the response body.

  • Retain visitor on the website. You can display a custom 404 error page instead of the default 404 error page. You can display the website home page or a site map instead of the default 404 error page. This helps retain visitors on the website even when the 404 error exists.

  • Redirect visitors. You can use rewrite to redirect the website instance to a different location while using the old URL.

  • Publish SEO and user-friendly URLs. When a page on a site has a complicated or a lengthy URL, you can rewrite it to a simple, easy-to-remember URL, also referred to as the ‘cool URL’.

  • Set default URLs. You can append the default page name to the URL of a website. For example, if the default page of a company’s website is http://www.example.com/index.php, and the user enters example.com in the browser address bar, you can rewrite the URL to always point to example.com/index.php.

When you enable the rewrite feature, the CADS service can modify the headers and body of the HTTP requests and responses.

In the HTTP traffic, you can take the following actions:

  • Modify the URL of a request

  • Add, modify, or delete headers

  • Add, replace, or delete any specific string within the body or headers.

Here is a use case that explains configuring the content transform in the CADS service by defining the rewrite rule and action to remove the HTTP header and client IP from the request to keep the customer data confidential.

Problem Statement

A mid-sized manufacturing company uses its website to handle a large portion of its sales, deliveries, and customer support. The manufacturing company has two domains: example.com, for its website and email to customers, and example.net, for its intranet. Customers use the website to place orders, request quotes, research products, and customer service. The company can take specific action on HTTP requests based on the criteria such as user location, header, IP address, and while doing so, the website must have no performance degradation and keep customer data confidential.

How does CADS service content transform feature solve the problem?

With the CADS service content transform feature, you can deliver an application configuring content transform to do specific tasks. The service balances the website load and manages traffic to-and-from the company’s web servers. Content transform enables you to respond to HTTP requests depending on the requirement. It examines the request from the client or response from the server and forwards the request depending on the applicable rule. Also, it evaluates the data and applies one or more actions based on the set rule.

Example

The following examples are seen in the server room of the Example Inc., a mid-sized manufacturing company that uses its website to handle a substantial portion of its sales, deliveries, and customer support. The company therefore has several web servers.

The company’s system administrators use the rewrite features to do the tasks.

Scenario 1: Remove an HTTP Header in request

Example Inc. wants to remove the old x-forwarded-for and client-IP HTTP headers from incoming requests, so that only the x-forwarded-for headers are the ones added by the local server. This configuration can be done using the content transform.

The example below explains how to set up configuration in the CADS service. The procedures are shortened assuming that you are familiar with the basics of creating rewrite rules.

For more detailed information about creating rewrite rules, see Add content transform.

In the Create Rewrite Rule dialog box, create two rules one for x-forwarded-for and another for client-IP

  • Create the rewrite rule for x-forwarded-for

    Rule Name: act_del_xfor

  • Check if the following condition exists:

HTTP HEADER: HTTP Request Header

Operator: Exists

Value: x-forwarded-for

  • Create a rewrite action with the following description:

Type: Remove a HTTP Header in Request

Value: x-forwarded-for

  • Create the rewrite rule for client-IP

Rule Name: act_del_client

  • Check if the following condition exists:

HTTP HEADER: HTTP Request Header

Operator: Exists

Value: client-IP

  • Create a rewrite action with the following description:

Type: Remove a HTTP Header in Request

Value: client-IP

All old x-forwarded-for and client-IP HTTP headers are now deleted from incoming requests.

Assumptions

The following are the assumptions made in this example:

  • You have created an environment and a cloud access profile.
  • You have specified the basic details, such as the name of the application, environment, services, and endpoints by navigating to Applications > New Application.

Follow these steps to configure the content transform:

  • Step 1: Navigate to Application > Content Transform.

  • Step 2: Create or Select. Here, you can create or add an existing Rewrite rule or a Responder rule.

  • Step 3: Configure content transform, for your requirements. Here you can add the condition and actions suitable for your requirements and then bind the content transform to the services.

  • Step 4: Deploy the application.

Remove an HTTP header in the request using the GUI

  • Step 1: Navigate to Applications > Content Transform

    1. In the Deliver an Application page, click Create

    2. In the Create Content Transform page, click Create Content Transform

    3. In the Create Content Transform page, type a name in Content Transform Name.

Create a content transform

  • Step 2: Configure content transform, rewrite rules and actions. Create two rewrite rules one for x-forwared-for and another for client-IP

    In the Add Rewrite Rule page, enter the following parameters, then click Add. Rule name: Example

    1. If the following condition is met:

      Select HTTP Request Header in the drop-down list

      Select Exists operator

      Select Value and type xforwarded-for

    2. Then do the following:

      Select Remove the HTTP Header in Request

      In the Header Name type xforwarded-for

      Rule name: Example1

    3. If the following condition is met:

      Select HTTP Request Header in the drop-down list

      Select Exists operator

      Select Value and type client-IP

    4. Then do the following:

      Select Remove the HTTP Header in Request

      In the Header Name type client-IP

    5. In the Create Content Transform page, click Create.

    6. In the Select Content Transform page, click Add, to add the content transform.

    7. In the Deliver and Application page, Select the preferred service in the Services drop-down list by selecting the checkbox.

Bind a service

All old x-forwarded-for and client-IP HTTP headers are now deleted from incoming requests.

Remove an HTTP Header in Request using the API

Prerequisites

  • A managed application is created under an environment using an auto generated FQDN.
  • For the purpose of this document, it is not relevant whether the application has been created through the UI or the API.
  • You have the environment details.

Set the following values in your API request:

Header:
Content-Type:application/json
INTERNAL_CLOUD_NITRO:true
isCloud:true
Accept:application/json
Cookie:SESSID=;

<!--NeedCopy-->

Overview

The following API configuration guidelines apply to configuring content transform, primary data center managed by the CADS service. To create a content transform in this deployment mode, you need the environment id.

While the remainder of this document assumes that the managed application pre-exists, it provides instructions on retrieving the environment details using CADS service APIs.

Retrieve environment details:

Request URL:
GET https:///adcaas/nitro/v1/config/environments?owned_by=self
<!--NeedCopy-->

The response is an array with details of all the deployed environments.

Note: The following response payload is adjusted for readability and only includes a single environment when the managed application is deployed.

{

   "environments" : [

      {

         "cloud" : "aws",

         "id" : "f3826bb4fafe7a31367a335171dc45b4",

         "aws_params" : {

            <snip>

            "region" : "us-east-2",

            "availability_zones" : [

               "us-east-2a"

            ],

            "vpc_name" : "<snip>",

            "region_name" : "US East (Ohio)",

            <snip>

         },

         <snip>

      }

   ]

}
<!--NeedCopy-->

Here, the retrieved environment id is f3826bb4fafe7a31367a335171dc45b4. This environment id is used while binding the network function to the application service.

Add a content transform to check the HTTP response for client-IP and x-forwarded-for.

Add Filters:

Filters must be created before creating content transform network functions. These filters are used while creating content transform network functions.

Request URL:
POST  https:///adcaas/nitro/v1/config/filters
<!--NeedCopy-->

The filters are configured as follows:

  • Create two filters with names, check-client-ip and check-x-forwarded-for.

  • The condition detects if the request header contains the data client-ip and x-forwarded-for.

Header:
Content-Type:application/json
INTERNAL_CLOUD_NITRO:true
isCloud:true
Accept:application/json
Cookie:SESSID=;
ADS_SERVICE_TYPE= INTENT
<!--NeedCopy-->

Request Payload to create a filter:


{

    "filters": [{

        "name": "check-client-ip",

        "expression": {

            "exists": {

                "req_header": {

                    "name": "client-ip"

                }

            }

        }

    }, {

        "name": "check-x-forwarded-for",

        "expression": {

            "exists": {

                "req_header": {

                    "name": "x-forwarded-for"

                }

            }

        }

    }]

}
<!--NeedCopy-->

Example Response: If the unique ID is received in the response the filters are successfully created.


{

    "filters": [

        {

            "expression": {

            "exists": {

                "req_header": {

                    "name": "client-ip"

                }

            }

        },

            "id": "ac1105409aea48f4f04d6fe8d1b2b9de",

            "name": "check-client-ip"

        },

{

            "expression": {

            "exists": {

                "req_header": {

                    "name": "x-forwarded-for"

                }

            }

        },

            "id": "044885e7f8a1d0a762fe31e70ba55774",

            "name": "check-x-forwarded-for"

        }

    ]

}
<!--NeedCopy-->

Create the network function:

Filters must be created before creating a content transform network function.

Request URL:
POST  https:///adcaas/nitro/v1/config/network_functions
<!--NeedCopy-->

A content transform is configured as follows:

  • ContentTransformNF is the name of the content transform.

  • Content transform feature is enabled.

  • Rule names are set to remove-client-IP and remove-x-forwarded-for

  • Rewrite action is to remove the header in the request, when the header name is either client-IP or x-forwarded-for is detected.

Request Payload to create a Content Rule Network function to remove the identified HTTP response headers client-IP and x-forwarded-for

{

    "network_functions": [{

        "name": "ContentTransformNF",

        "type": "content_transform",

        "content_transform_params": {

            "enable_content_transform": true,

            "rule_list": [{

                "rule_name": "remove-client-ip",

                "filter_name": "check-client-ip",

                "rewrite_action": "remove_header_in_request",

                "remove_header_in_request_params": {

                    "header_name": "client-ip"

                },

                "state": true

            }, {

                "rule_name": "remove-x-forwarded-for",

                "filter_name": "check-x-forwarded-for",

                "rewrite_action": "remove_header_in_request",

                "remove_header_in_request_params": {

                    "header_name": "x-forwarded-for"

                },

                "state": true

            }]

        }

    }]

}
<!--NeedCopy-->

Example response: If the unique ID is received in the response, the network function of the type of content transform is successfully created.


{

"network_functions": [

{

"content_transform_params": {

            "enable_content_transform": true,

            "rule_list": [{

                "rule_name": "remove-client-ip",

                "filter_name": "check-client-ip",

                "rewrite_action": "remove_header_in_request",

                "remove_header_in_request_params": {

                    "header_name": "client-ip"

                },

                "state": true

            }, {

                "rule_name": "remove-x-forwarded-for",

                "filter_name": "check-x-forwarded-for",

                "rewrite_action": "remove_header_in_request",

                "remove_header_in_request_params": {

                    "header_name": "x-forwarded-for"

                },

                "state": true

            }]

        },

"created_at": "2021-11-26T08:35:38Z",

"id": "1df2628479d0c1b5b1d8040bdd04ccb4",

"name": "ContentTransformNF",

"type": "content_transform",

"updated_at": "2021-11-26T08:35:38Z"

}

]

}
<!--NeedCopy-->

Bind the network function to the application service:

The application services can be associated with the existing network functions just by specifying the name/id and type of the network function in the payload.

POST  https:///adcaas/nitro/v1/config/applications

<!--NeedCopy-->

Note: Specify the retrieved environment id in the application payload. The environment id retrieved is f3826bb4fafe7a31367a335171dc45b4.

Headers:
Content-Type:application/json
INTERNAL_CLOUD_NITRO:true
isCloud:true
Accept:application/json
Cookie:SESSID=;
<!--NeedCopy-->

The content transform network function created can be used in the application payload as follows:

{

"applications": [{

"edition": "premium",

"name": "DemoApp",

"type": "aws",

"environment": {

"id": " f3826bb4fafe7a31367a335171dc45b4"

},

"endpoints": [],

"network_functions": [],

"filters": [],

"application_services": [

{

"name": "DemoAppSvc",

"protocol": "HTTP",

"port": 80,

"app_server_type": "servers",

"aws_autoscalegroup": "",

"aws_instances": [],

"servers": [

{

"type": "IPAddress",

"value": "2.2.2.2"

}

],

"certificates": [],

"network_functions": [

{

"name": "LB_default",

"type": "lb"

},

{

"name": "ContentTransformNF",

"type": "content_transform"

}

]

}

],

"application_endpoints": [

{

"endpoint_name": "DemoApp",

"default_route": "DemoAppSvc",

"routes": []

}

]

}

]

}
<!--NeedCopy-->

Application response: The unique ID is received in the response. The application is successfully created.

{

"applications": [

{

"application_endpoints": [

{

"default_route": "DemoAppSvc",

"endpoint_id": "d2982a29642ad23f14168446523e546b",

"endpoint_name": "DemoEndpoint",

"id": "bc7c9038e1fced6ae176a5525f5d3860",

"routes": []

}

],

"application_services": [

{

"app_server_type": "servers",

"certificates": [],

"id": "c34fb994ae7f9a73fbe6956fca5f511d",

"name": "DemoAppSvc",

"network_functions": [

{

"name": "LB_default",

"type": "lb"

},

{

"name": "ContentTransformNF",

"type": "content_transform"

}

],

"port": 80,

"protocol": "HTTP",

"servers": [

{

"type": "IPAddress",

"value": "2.2.2.2"

}

],

"slow_server_settings": {

"action": "detect"

}

}

],

"created_at": "2021-11-26T08:47:59Z",

"deployed_at": null,

"edition": "premium",

"environment": {

"cloud": "aws",

"id": "3b6ed423c509404915c57a06ee675e6b",

"name": "DemoEnv"

},

"id": "2839de5e613060fb85b0ec0aa1eb378c",

"job_id": null,

"name": "DemoApp",

"status": "INDRAFT",

"type": "aws",

"updated_at": "2021-11-26T08:47:59Z"

}

]

}
<!--NeedCopy-->

Here, the retrieved application id is 2839de5e613060fb85b0ec0aa1eb378c. This application id is used while deploying the application.

Deploy the application:

Request URL

POST https:///adcaas/nitro/v1/config/applications//actions/deploy
<!--NeedCopy-->

Provide the new retrieved from the application response. This API call creates a background job to deploy the application. Here the retrieved application id is 2839de5e613060fb85b0ec0aa1eb378c.

After deploying the application, when the incoming traffic contains any confidential information, the CADS service initiates the action as defined in the rewrite rule and action to remove the specified HTTP header and the client IP.

Rewrite HTTP headers for rewrite content transform