Product Documentation

Content Filtering

Apr 08, 2018

Warning

Content Filtering is deprecated from NetScaler 12.0 onwards and as an alternative, Citrix recommends you to use Responder filter actions (for ERRORCODE, RESET or DROP on request side), Rewrite filter actions (for ADD or CORRUPT, DROP or RESET on the response side), and Content Switching action (for FORWARD).

Content filtering can do some of the same tasks as the Citrix NetScaler Application Firewall, and is a less CPU-intensive tool. It is limited, however, to examining the header portion of the HTTP request or response and to performing a few simple actions on connections that match. If you have a complex Web site that makes extensive use of scripts and accesses back-end databases, the Application Firewall may be the better tool for protecting that Web site. For more information about the Citrix NetScaler Application Firewall, see Application Firewall.

Content filtering is based on regular expressions that you can apply to either HTTP requests or HTTP responses. To block requests from a particular site, for example, you could use an expression that compares each request's URL to the URL specified in the expression. The expression is part of a policy, which also specifies an action to be performed on requests or responses that match the expression. For example, an action might drop a request or reset the connection.

Following are some examples of things you can do with content filtering policies:
  • Prevent users from accessing certain parts of your Web sites unless they are connecting from authorized locations.
  • Prevent inappropriate HTTP headers from being sent to your Web server, possibly breaching security.
  • Redirect specified requests to a different server or service.

To configure content filtering, once you have made sure that the feature is enabled, you configure filtering actions for your servers to perform on selected connections (unless the predefined actions are adequate for your purposes). Then you can configure policies to apply the actions to selected connections. Your policies can use predefined expressions, or you can create your own. To activate the policies you configured, you bind them either globally or to specific virtual servers.