Citrix Application Delivery Management service

Add policies to an API deployment

You can configure various security policies for your API traffic. This configuration requires you to specify the traffic selection criteria and the parameters required for a policy. Do the following steps to add a policy to an API definition:

  1. Navigate to Applications > API Gateway > Policy.

  2. Click Add.

  3. Specify the name for a policy group.

  4. Select a Deployment from the list.

  5. Select an Upstream Service from the list for which you want to configure policies.

  6. Click Add to select traffic selectors and a policy type.

    Traffic selector - The traffic selection criteria includes API resource paths or path prefixes, methods, and policy.

    You can use any of the following options to specify traffic selection criteria:

    • API Resources – Select an API resource and its methods for which you want to apply a policy. You can search API resources and methods with a key word.

      Traffic selector

      In this example, the API resources with /user that have the POST method are listed.

    • Custom Rule – In this tab, you can specify custom path prefixes and multiple methods.

      The configured policy applies to an incoming API request that matches the custom rule for API traffic selection.

      Custom policy rule

      In this example, the No-Auth policy applies to the API resources that have the /pet prefix and the POST method.

    In Policy, select a policy from the list that you want to apply to the selected API resource and method. For more information about each policy, see Policy types.

  7. Optional, you can move policy types to set a priority. The policy types with higher priority apply first.

  8. Click Save to add a policy. If you want to apply the policy immediately, click Save & Apply.

Policy types

When you are configuring an API policy, you can select the following policies that you want to apply to the API resource and method:

Authentication and Authorization

API resources are hosted on an application or API server. When you want to enforce access restrictions on such API resources, you can use the authentication and authorization policies. These policies verify whether the incoming API request has a necessary permission to access the resource.

Use the following policies to define authentication and authorization for the selected API resources:

‘No-Auth’

Use this policy to skip authentication on the selected traffic.

‘Auth-Basic’

This policy specifies that local authentication to be used with the HTTP basic authentication scheme. To use local authentication, you must create user accounts on the Citrix ADC.

OAuth

OAuth requires an external identity provider to authenticate a client using oAuth2 and issue an access token. When the client provides this token as an access credential to an API gateway, the token is validated based on the configured values.

  • JWKS URI - The URL of an endpoint that has JWKs (JSON Web Key) for JWT (JSON Web Token) verification

  • Issuer - The identity (usually a URL) of the authentication server.

  • Audience - The identity of the service or application for which the token is applicable.

  • Claims to save - The access permissions are represented as a set of claims and expected values. Specify the claim values in the CSV format.

  • Introspect URI - An introspection endpoint URL of the authentication server. This URL is used to verify opaque access tokens. For more information about these tokens, see OAuth configuration for opaque access tokens.

    After you specify Introspect URI, specify the Client Id and Client Secret to access the authentication server.

  • Allowed algorithms - This option allows you to restrict certain algorithms in the incoming tokens. By default, all the supported methods are allowed. However, you can check the required algorithms for the selected traffic.

    JWT authentication

On successful validation, API gateway grants access to the client.

Important

When you configure an OAuth or Auth-Basic policy for the selected API resources, configure the No Auth policy for the remaining API resources. This configuration explicitly indicates that you want to skip authentication for the remaining resources.

Authorization

This policy verifies the required permissions to access an API resource. The access permissions are represented as a set of claims and expected values. To configure this policy, select Add a new Claim and specify the following:

  • Claim Name
  • Claim Values

Authorization policy

Important

API gateway requires both authentication and authorization policies for API traffic. Therefore, you must configure an authorization policy with an authentication policy. The authentication policy can be OAuth or Auth-Basic.

Even if you do not have any authorization checks, you must create an authorization policy with empty claims. Otherwise, the request is denied with a 403 error.

Rate limit policy

Specify the maximum load given to the selected API resource. With this policy, you can monitor the API traffic rate and take preventive actions. To configure this policy, specify the following:

  • HTTP Header Name - It is a traffic selector key that filters the traffic to identify the API requests. And, the Rate limit policy applies and monitors only to such API requests.

  • Threshold - The maximum number of requests that can be allowed in the specified interval.

  • Time slice - The interval specified in microseconds. During this interval, the requests are monitored against the configured limits. By default, it is set to 1000 microseconds (1 millisecond).

  • Limit type - The mode how you want to apply the rate limit policy. You can select Burst or Smooth limit type.

  • Action - Defines an action that you want to take on the traffic that breaches the threshold. You can specify one of the following actions:

    • DROP: Drops the requests above the configured traffic limits.
    • RESET: Resets the connection for the requests.
    • REDIRECT: Redirects the traffic to the configured redirect_url.
    • RESPOND: Responds with the standard response (429 Too many requests).

Rate limit Policy

WAF policy

This policy prevents security breaches, data loss, and possible unauthorized modifications to websites that access sensitive business or customer information.

Before you cofigure a WAF policy, create a WAF profile in Citrix ADM using the StyleBook.

In WAF Profile Name, select or specify the WAF profile that you have created.

WAF Policy

BOT policy

This policy identifies bad bots and protects your appliance from advanced security attacks.

Before you cofigure a BOT policy, create a BOT profile in Citrix ADM using the StyleBook.

In Bot Profile Name, specify the BOT profile that you have created.

BOT Policy

Header Rewrite

This policy helps you modify the header of API requests and responses. If you want to replace the value in the HTTP header, specify the following:

  • HTTP Header Name: The filed name that you want to modify in the request header.

    Example: Host

  • Header value: Optional, the value string that you want to modify in the specified header name.

    Example: sample.com

  • Header new value: The new value to replace the specified header value.

    If no Header value is specified, it replaces any received value with the specified value to the HTTP Header Name.

    Example: example.com

Header-rewrite policy

In this example, the header rewrite policy replaces sample.com to example.com in the Host field of an API request.

Add policies to an API deployment