Citrix Systems 9.2 specs

194 Citrix NetScaler Policy Configuration and Reference Guide

sys.http_callout(authCallout).contains("someText")

If the return type is NUM, the following expression is valid:

sys.http_callout(authCallout).gt(500)

The following example shows the use of SYS.HTTP_CALLOUT to retrieve a source IP address and insert it in a header of an HTTP request. (Bold is used for emphasis.)

set policy httpCallout extractSrcIPCallout -ipAddress 10.101.

10.10-port 80 -returnType text -hostExpr "\"10.101.10.10\"" -urlStemExpr "\"/mysite/index.html\"" -resultExpr 'server.ip. src'

add rewrite action insertSrcIPAction insert_http_header Name

"sys.http_callout(extractSrcIPCallout)" -bypassSafetyCheck yes

add rewrite policy insertSrcIPPolicy "http.req. header(\"MyHeader\").exists" insertSrcIPAction

bind rewrite global insertHostHeaderPolicy 100 END -type req_default

The following example shows the use of SYS.HTTP_CALLOUT to retrieve notification regarding whether a client IP address is blocked from a server and configure a “You are banned” message in the Responder. (Bold is used for emphasis.)

add policy httpCallout blockedCalloutPolicy

set policy httpCallout blockedCalloutPolicy -returnType text -ipAddress 10.100.10.10 -port 80 -fullReqExpr '"Get /cgi-bin/is_ip_blocked?ip="+ client.ip.src + "http/1.1\r\n" + "Host: my_server\r\n\r\n"' -resultExpr 'http.res. header("Result")'

add responder action blockedResponderAction respondwith

'"HTTP/1.1 200OK\r\n Content=Length: 17 \r\n\r\nYour IP is banned"'

add responder policy blockedResponderPolicy "http.req.url. eq("/") && sys.http.callout(blockedCalloutPolicy). eq("Blocked") blockedResponderAction

bind responder global blockedResponderPolicy 100 END -type res_override

Notes on Invoking a Callout

When invoking an HTTP callout in a policy or an action, be sure that the callout invocation does not trigger additional callouts. For example, a policy should not invoke an HTTP callout named MyCalloutPL if the policy expression contains the URL /mycallout.pl. The following is an example:

Image 208

Citrix Systems 9.2 manual If the return type is NUM, the following expression is valid

Contents

Citrix NetScaler Policy Configuration and Reference Guide Citrix NetScaler Copyright and Trademark Notice Contents Chapter Contents Converting Text to Hexadecimal Format Citrix NetScaler Policy Configuration and Reference Guide Contents Vii Accommodating Browser Dependent Content Blocking Access by RobotsBlocking Access to Inline Images Reducing Web Server Redirects Preface About This Guide Citrix NetScaler Policy Configuration and Reference Guide Audience New in This ReleasePreface Formatting Conventions Formatting ConventionsConvention Meaning Boldface Related Documentation Getting Service and SupportTo view the documentation Documentation Feedback To provide feedback from the Knowledge Center home Introduction to Policies Expressions Advanced and Classic Policies Benefits of Using Advanced Policies Basic Components of an Advanced or a Classic Policy How Different NetScaler Features Use Policies NetScaler Feature, Policy Type, and Policy UsageChapter Introduction to Policies and Expressions DNS Authorization policies authorize users AuthorizationAssociated cache server AAA Traffic Classic Access Classic Authorization policies, however, can beAbout Actions and Profiles Functions Use of Actions and Profiles in Different NetScaler Features Feature Use of an Action Use of a ProfilePre-Authentication. Uses Authorization. Uses Allow About Policy Bindings Server About Evaluation Order of Policies Order of Evaluation Based on Traffic Flow Advanced and Classic ExpressionsAbout Advanced Expressions About Classic Expressions Before You Proceed Chapter Citrix NetScaler Policy Configuration and Reference Guide Configuring Advanced Policies Advanced-Policy Parameters Creating or Modifying an Advanced PolicyArgument Specifies Policy Configuration Examples Following is an example of a Rewrite policy and action Feature-Specific Bindings for Advanced Policies Feature-Specific Differences in Policy BindingsBinding Advanced Policies Policies Global default Responder function Policy label NetScalers integratedProvide rules for modifying Address of the incoming Bind Points and Order of Evaluation Chapter Configuring Advanced Policies Advanced Policy Evaluation Across FeaturesEntries in a Policy Bank Format of Each Entry in a Policy Bank Evaluation Order Within a Policy BankOptional How Policy Evaluation Ends Binding a Policy Globally How Features Use Actions After Policy EvaluationExample Details pane, click Feature Name policy manager Binding a Policy to a Virtual Server Unbinding an Advanced Policy Displaying Policy Bindings Unbind responder global policyName Creating Policy Labels Creating a Policy Label To create a policy label by using the configuration utility Configuring a Policy Label or Virtual Server Policy Bank Binding a Policy to a Policy LabelEntries in a Policy Bank Attribute Description Configuring a Policy Label Example Choices are Integrated Caching, Rewrite, or Responder Configuring a Policy Bank for a Virtual Server Configure Virtual Server dialog box click the Policies tab Chapter Configuring Advanced Policies At the NetScaler command prompt, for the Responder, type Configuring and Binding Policies with the Policy Manager Click Regenerate Priorities To remove unused policies by using the Policy Manager Citrix NetScaler Policy Configuration and Reference Guide Configuring Advanced Expressions Getting Started Expression Characteristics Basic Elements of an Advanced Expression Prefixes Http.res.header.myheader Feature Types of Expression Prefix Used in the Feature Features Content SwitchingSingle-Element Expressions Operations Basic Operations for Expressions Basic Operations on Expression PrefixesOperation Determines whether or not Compound Advanced Expressions Configuring Advanced Expressions Getting StartedBasic Types of Operations Booleans in Compound Expressions Parentheses in Compound ExpressionsCompound Operations for Strings String-Based Operations for Compound Advanced Expressions Logical operations on strings Compound Operations for Numbers Arithmetic Operations for Compound Advanced Expressions Num % num Expression on the rightReturns 12 binary Result of applying the ~ operator is -11 a binary 1110011 Binary 1100 and numeric.expression2 returns 10 binary Whole expression evaluates to 8 binaryRight-side number argument number of bits Following example assumes that numeric.expression1 returns Number .ADD Integer Value Following is an exampleNumber .SUB Integer Number value Following is an example Number .LE Integer Integer argument Following is an exampleNumber .LT Binary value of 10 is 1010, and the result of applying Result of applying the Bitneg operator is -11 a binary 1110011, 32 bits total with all ones to the leftExpression as an argument rather than an integer Assumes that numeric.expression returns 12 binary Bitxor operator to the entire expression is 6 binary Caret performs a similar function to BITXOR, but takesAnother expression as an argument rather than an integer Number.LSHIFT Number.RSHIFT Double .ADDiValue represented by double Parameters Double .GEi Value represented by double is greater than or equal toDouble .GTi Value represented by double is greater than the argument Configuring Advanced Expressions in a Policy Classic Expressions in Advanced Expressions Following is an example of configuring a caching policy HTTP.REQ.BODY1000.BETWEENthis,that Configuring Named Advanced Expressions Click Advanced Expressions Chapter Citrix NetScaler Policy Configuration and Reference Guide Advanced Expressions Evaluating Text About Text Expressions About Operations on Text Categories of Text Expressions Compounding and Precedence in Text ExpressionsChapter Advanced Expressions Evaluating Text Guidelines for Text Expressions Expression Prefixes for Text Expression Prefixes for Text in Http Requests and ResponsesHttp Expression Prefixes that Return Text Prefix Description Returns the domain name part of the host name. For Myhost.com8080, the domain is myhost.comReturns incorrect results if the host name has an IP Address. For information on expressions for IP URL LISTT,. IGNOREEMPTYELEMENTS.COUNT LISTT,.COUNT HTTP.REQ.USER.EXTERNALGROUPS HTTP.REQ.USER.GROUPS Returns a list of internal groups to which the user For example, the following expression returns aUser belongs HTTP.REQ.USER.INTERNALGROUPS Group Default value of 80 or 443 for Https connections Returns the Http version listed in the requestReturns a portion of the Http response body. Integer argument Expression Prefixes for VPNs and Clientless VPN and Clientless VPN Expression Prefixes that Return Text VPN and Clientless VPN Description Expression By default, is not considered an empty element When evaluating this headerEvaluates the server portion of the host name Extracts a slash- / separated list from the path Extracts a name-value list, using the = Evaluates the protocol in the URLDelimiters from the query string in a URL This method ignores the empty elements in a Hostname Ignores empty elements in a list. For example, if List delimiter is a comma , the following listHas an empty element following a=10 Evaluating this header Ignores empty elements in a name-value list. For Example, the following list contains an emptyElement after a=10 As another example, consider the following http Results in Boolean True if the host name Is case insensitiveFollowing expression returns True Evaluates the server part of the host name This method ignores the empty elements in a list For example, if the delimiter in a list is ,Entry a=10 Consider the following header Example, the following list uses a semicolon Preceding example, the element following=11 is not considered an empty element Evaluating the same header Operations on Text Basic Operations on TextBasic Operations on Text Returns a Boolean True value if the target contains Operations for Calculating the Length of a String Operations for Controlling Case SensitivityOperations on Case Sensitivity of Text Basic Text Operation Description Complex Operations on Text Operations on the Length of a StringOperations on Strings Based on a Character Count Case Operation Description Operations on a Portion of a String Basic Operations on a Portion of a StringCharacter Count Operation Description Object of 0 length Returns a Boolean True value if the length of the text Object is greater than or equal to the sum starting stringMatches starting string, and if the suffix of the target Matches ending string Converting Text to a Hash Value Operation Description Operator Description Base64 encoding algorithmApplying the Base64 decoding algorithm. The operation Raises an Undef if text is not in B64-encoded format Converting Text to Hexadecimal Format Citrix NetScaler Policy Configuration and Reference Guide Advanced Expressions Working with Dates, Times, and Numbers Format of Dates and Times in an Expression Dates and Times in a Rewrite Action Expressions for the NetScaler System Time Expressions that Return NetScaler System Dates and Times NetScaler Time Description Operation Advanced Expressions Working with Dates, Times, and Numbers Scheduled reboot, and returns an integer Is equal to the time argumentSys.time.leGMT 2006 True in this example False depending on the current timezone Expressions for SSL Certificate Dates Time2 SSL Certificate Operation Description True For example, if the current time is GMT 2005 May 10h 15m 30s, and it is the first Sunday of the monthYou can specify the following evaluation results for This example are in parentheses Closest boot time is in the past, the integer is Extracts the last hour that the certificate is validReturns a Boolean True if the time precedes or is Equal to the time argument System time and the specified time and returns an If it is in the future, the integer is positiveExtracts the last weekday that the certificate is valid To give the weekday in the time value Returns a Boolean True if the time value is between Time1, time2 arguments. Both the time1, time2Arguments must be fully specified LOCAL, and time2 must be bigger than time1 Returns a Boolean True if the time is greater than After or equal to the time argumentResults are in parentheses Returns a Boolean True if the time occurs after Extracts the last minute that the certificate is valid Returns the current month as an integer fromReturns the number of seconds between the current NetScaler system time and the specified time as an Extracts the last second that the certificate is valid Returns the current second as an integer from 0 to6 Saturday Element of time from time2, it is assumed to have Expressions for Http Request and Response Dates Prefixes That Evaluate Http Date Headers 111 Citrix NetScaler Policy Configuration and Reference Guide Advanced Expressions Parsing HTTP, TCP, and UDP Data About Evaluating Http and TCP Payload About Evaluating the Payload Body Expressions for Http Headers 115 Prefixes That Extract Http Headers Prefixes for Http HeadersHttp Header Prefix Description Advanced Expressions Parsing HTTP, TCP, and UDP Data Returns the value of Path field of the cookie As a slash- / separated list. MultipleFirst instance is returned For example, the following is a cookie with Returns the value of Port field of the cookie Operate as a comma-separated listFrom Set-Cookie Customer = ABC PATH=/a/b/c PORT= 80 Returns the value of the Domain field First cookie with the specified name. ForExample, the following expression returns a DOMAIN=.xyz.com Named cookie as a , separated list. For From the cookie Set-Cookie Customer Operations for Http Headers Operations That Evaluate Http HeadersReturns the value of Version field of the nth Header type exists Any instance of the header value Following is an example of request with two headersFollowing returns a Boolean True Does not concatenate the different values STR string Instance to the firstFollowing is an example of a request Following extracts the string def from the last Or a response. This operation returns the header that Occurs instance number of places before the finalUsed in bidirectional policies Instance number argument cannot exceed Prefixes for Cache-Control Headers Operations for Cache-Control HeadersPrefixes That Extract Cache-Control Headers Cannot exceed 127 Operations That Evaluate Cache-Control HeadersHttp Header Operation Description Has the value Min-Fresh Has the value Max-StaleHas the value Must-Revalidate Has the value No-Transform Expressions for Extracting Segments of URLs Expressions for Numeric Http Payload Data Other Than Dates Prefixes That Extract URLsPrefixes That Evaluate Http Request or Response Length URL Prefix Description Returns the response status code Operations That Evaluate Html and XML EncodingHtml or XML Operation Description Where xx is a hex-based representation Specifies how to treat the plus character +.Converts unsafe URL characters to %xx values Read-only operation With the character Y where XXX represents Where the colon is the Ascii equivalentDecoded to http//, where the colon is Where WW and XX represent two distinct Prefixes that Extract TCP and UDP Data Expressions for TCP, UDP, and Vlan DataGET Operation Description Enables locating the domain name that is MX mail exchanger. This DNS record describesDomain and the priority for each server NS. This is a name server record that includes a XPath and Json Expressions XPath and Json Expression Prefixes that Return Text Or a string. Node-sets are converted to XPath string conversion routineFile Book creator person Namename , titletitle Json file and returns a Boolean True if For example, consider the following Json That are enclosed by /Book a node-setFirst 1000 bytes of the body of the Json File and returns the corresponding string Bytes of the body Text.XPATHWITHMARKUPxp%/Book/creator% Citrix NetScaler Policy Configuration and Reference Guide Advanced Expressions Parsing SSL Certificates About SSL and Certificate Expressions Prefixes for Text-Based SSL and Certificate Data Returns the SSL client certificate in the currentSSL transaction SSL cryptographic cipher is exportable Expressions for SSL Certificates Prefixes for Numeric Data in SSL CertificatesAdvanced Expressions Parsing SSL Certificates Issuer in the certificate as a name-value list. An Based on the preceding Issuer definitionReturns a Boolean True if the client has an SSL Returns the Distinguished Name DN Returns the Issuer Distinguished Name An Authority Key Identifier extensionCertificate as a name-value list. An equals sign = is the delimiter for the name and the value False CLIENT.SSL.CLIENTCERT.ISSUER IGNOREEMPTYELEMENTS.COUNT Citrix NetScaler Policy Configuration and Reference Guide Expressions for IP Addresses and IP Subnets Prefixes for IPV4 Addresses and IP Subnets Operations for IPV4 AddressesPrefixes That Evaluate IP and MAC Addresses Operations on IPV4 Addresses About IPv6 Expressions Qual1.qual2.qual3.qual4.qual5.qual6 Expression Prefixes for IPv6 Addresses IPv6 Expression Prefixes that Return TextIP header Returns the IPv6 address in the source field of the IP Operations That Evaluate IPv6 Addresses Operations for IPV6 PrefixesIPv6 Operation Description Expressions for MAC Addresses Prefixes for MAC AddressesOperations for MAC Addresses Prefixes That Evaluate MAC Addresses Prefixes That Evaluate Numeric Client and Server Data Expressions for Numeric Client and Server Data155 Citrix NetScaler Policy Configuration and Reference Guide Matching Text With Strings in a Set Operators That Use a Pattern Set Matching Operators DescriptionPatternsetname To patternsetname Name Setname Configuring a Pattern Set 161 At a NetScaler command prompt, type 163 Add policy patset myPatSet Matching Text With a Pattern Operations for Regular Expressions Basic Characteristics of Regular Expressions165 Selects text that precedes the string that matches Regular expression argument. If the regularFrom text/plain Expression does not match any text in the target Regular Expression Operation Description Settextmodeignorecase Insensitive, multi-line match, where the dot Text following the string that matchesHeader value. The header instances are matched From the last to the first First Transforming Text and Numbers into Different Data TypesFollowing example selects NS-CACHE-9.0 Typecasting Operations If the current text mode is Ignorecase and you specify Are ignoredAs the delimiter, an uppercase P is not treated as a Delimiter Hostname path? query, and the text mode is set to Urlencoded by defaultTreats a numeric string like an IP address For example, the following policy matches Http requests Following policy extracts a numeric portion of a query String, adds 4 to the number, and inserts an Http headerFor example, this policy would extract 4444 from Following Http response header HTTP.REQ.COOKIE.TYPECASTHTTPHEADER HTTP.REQ.SETCOOKIEHTTP.REQ.COOKIE.TYPECASTHTTPHEADERT Converts the designated text to a multi-line Http header That you specify in a name argumentFor example, the following expression converts MyHeader to InHeader Betweengmt 2004, GMT 2006 True Time value argument t Eqgmt 2005 TrueEqgmt 2005 Dec False EQLocal 2005 May True or FALSE, depending on Gtgmt 2004 True Gtgmt 2005 Jan TrueGTLocal 2005 May True or FALSE, depending on Gtgmt 8h True Legmt 2006 True Legmt 2005 Dec TrueLELocal 2005 May True or FALSE, depending on Legmt 8h False Most recent reboot or the number of seconds to the next Time is in the future scheduled reboot time, the integer isValue as an integer that ranges from 0 to Value as an integer that ranges from 1 January to Time1 and time2 Transforms the double-precision number represented by Extracts the year from the current system time and returnsDouble to an integer About Policies that Monitor the Traffic Rate Advanced Policies Controlling Rate of TrafficExpressions for Controlling the Traffic Rate Configuring Policies That Control the Traffic Rate Chapter About Calling Out to an External Application About Http Callout Policies Following is an example of a response 187 Elements in an Http Callout Policy Configuring an Http Callout PolicyParameter Specifies Attribute-based Http Method httpMethod Server mutuallyExpression that derives the value. Examples URL stem expression urlStemExpr Example, if you configure a return type of text, the result Expression to 8191 charactersNetScaler does not check the validity of this request. You Must manually validate the request 191 To modify a callout policy using the NetScaler command line Examples To delete a callout policy using the NetScaler command line To view a callout policy using the NetScaler command lineInvoking an Http Callout Policy 193 If the return type is NUM, the following expression is valid 195 Citrix NetScaler Policy Configuration and Reference Guide Configuring Classic Policies Expressions Where Classic Policies Are Used Http Configuring Classic Policies and Expressions Auditing of user access Viewing Classic Policies Click Policies Configuring a Classic Policy 201 At the command line, type To create a classic policy using the NetScaler command line Configuring a Classic Expression 203 REQ.IP.SOURCEIP == 200.0.0.0 -netmask 205 Flow Type.protocol.qualifier.operator.value.header Name Binding a Classic Policy 207 Configure Virtual Server dialog box, click the Policies tab Creating Named Classic Expressions 209 Citrix NetScaler Policy Configuration and Reference Guide Advanced Expressions Expressions ReferenceExpression Prefix Descriptions Citrix NetScaler Policy Configuration and Reference Guide Appendix a Expressions Reference Operates on the Vlan through which the current Expression Prefixes for Text in Http Ignores spaces in the data. See the table Http Appendix a Expressions Reference 217 Obtains the Expires field of the cookie as a date Appendix a Expressions Reference 219 SERVER.INTERFACE.ID.EQLA/1 Appendix a Expressions Reference 221 VPNs, on Ignores spaces in the data. For an example, see Appendix a Expressions Reference 223 Operators Classic ExpressionsExpression Element Definition General Expressions Appendix a Expressions Reference 225 REQ.SSL.CLIENT.CERT.ISSUER REQ.HTTP.URLQUERYLENREQ.SSL REQ.SSL.CLIENT.CERT Appendix a Expressions Reference 227 Expression Element Client Security ExpressionsActual Expression Definition Appendix a Expressions Reference 229 Network-Based ExpressionsExpression Definition Date/Time Expressions File System ExpressionsTime Date Appendix a Expressions Reference 231 Built-In Named Expressions General Appendix a Expressions Reference 233 Always returns a value of False Nsmsexcel Nsmsie Nsmsppt Nsmsword NsfarclientNstrue Nsurlpathbin Built-InNamed Expressions Personal Firewall Built-InNamed Expressions Anti-VirusAppendix a Expressions Reference 235 Expression Definition Norton Internet Security Built-InNamed Expressions Client SecurityAny version of Norton Internet Security Examples of Advanced Expressions Summary Examples of Advanced Expressions and PoliciesExpression Type Sample Expressions Content-Type header Look for a particular file type in anHttp request based on the file Extension Examples of Advanced Expressions and Policies Purpose Example To https// in all URLs This policy usesResponder functionality Modify a URL to redirect Check the client IP Limit the numberThrough unchanged Request and insert an Remove old headers fromNS-Client header Request, insert an NS-Client header,Then modify the insert Header action so that Citrix NetScaler Policy Configuration and Reference Guide Tutorial Examples of Advanced Policies for Rewrite Redirecting an External URL to an Internal URL Bind the policy globally Redirecting a Query Redirecting Http to HttpsAppendix C 247 Removing Unwanted Headers Masking the Server Header Reducing Web Server Redirects249 Add rewrite policy polmask-server true actmask-server Tutorial Examples of Classic Policies Citrix NetScaler Policy Configuration and Reference Guide Appendix D Tutorial Examples of Classic Policies 253 REQ.HTTP.HEADER URL Contains string Application Firewall Policy to Protect Scripted Web Pages Appendix D Tutorial Examples of Classic Policies 255 DNS Policy to Drop Packets from Specific IPs SSL Policy to Require Valid Client Certificates Add dns policy polddosdrop Citrix NetScaler Policy Configuration and Reference Guide Migration of Apache modrewrite Rules to Advanced Policies Apache modrewrite solution for converting a URL NetScaler solution for converting a URLConverting URL Variations into Canonical URLs Converting Host Name Variations to Canonical Host Names Apache modrewrite solution for moving the document root NetScaler solution for moving the document rootMoving a Document Root Appendix E Moving Home Directories to a New Web Server Working with Structured Home Directories Apache modrewrite solution for structured home directories NetScaler solution for structured home directoriesNetScaler solution for redirection if a URL is wrong method Redirecting Invalid URLs to Other Web Servers NetScaler solution for rewriting a URL based on the time Rewriting a URL Based on Time Redirecting to New File Name User-Visible URL Redirecting to a New File Name Invisible to the User265 Accommodating Browser Dependent Content Apache modrewrite solution for browser-specific settings Blocking Access by Robots 267 NetScaler solution for blocking access to an inline image Blocking Access to Inline ImagesCreating Extensionless Links 269 NetScaler policy for adding a .php extension to all requests Apache modrewrite solution Redirecting a Working URI to a New Format NetScaler solution NetScaler solution using regular expressionsNetScaler solution using pattern sets Ensuring That a Secure Server Is Used for Selected Pages Bind patset pat1 page4 Bind patset pat1 page5 New Advanced Expression Operators in This Release Operators for Extracting and Evaluating Numeric DataNew Operators for Extracting and Evaluating Numeric Data Number.TYPECASTIPADDRESSAT New Operators for Evaluating Text Operators for Extracting and Evaluating TextOperators Operation Operators for Extracting and Evaluating Http Data Operators for the Client and ipv6 Expression PrefixesNew Operators for Extracting and Evaluating Http data Operators for Client and ipv6 Expression Prefixes XPath and Json Operators for Evaluating XML and Json Data Operators for Evaluating Groups to Which a User BelongsXPath and Json Operators for Evaluating XML and Json Text Operators for Evaluating Groups to Which a User Belongs Index Introduction to 224 migration to advanced Index 279 RES.VLANID CLIENT.ETHER.DSTMAC Index HTTP.RES.SETCOOKIE2.COOKIEname, i Omain 82 VPN.CLIENTLESSHOSTURL.HOSTNAME.E Authkeyid Citrix NetScaler Policy Configuration and Reference Guide Index Useinvocationresult VPN 65 Character 57 ? character Citrix NetScaler Policy Configuration and Reference Guide