Citrix Systems 9.2 SSL Policy to Require Valid Client Certificates

Appendix D Tutorial Examples of Classic Policies 257

To drop packets from specific IPs by using the NetScaler command line

1. To create a DNS policy named pol_ddos_drop that detects connections

from hostile networks and drops those packets, type:

add dns policy pol_ddos_drop

'client.ip.src.in_subnet(192.168.253.128/25) ||

client.ip.src.in_subnet(192.168.254.32/27)' -drop YES'

For the example networks in the 192.168.0.0/16 range, you substitute

the IP and netmask in ###.###.###.###/## format of each network

you want to block. You can include as many networks as you want,

separating each CLIENT.IP.SRC.IN_SUBNET(###.###.###.###./

##) command with the OR operator.

2. Globally bind your new policy to put it into effect.

SSL Policy to Require Valid Client Certificates

The following example shows an SSL policy that checks the user's client

certificate validity before initiating an SSL connection with a client.

To block connections from users with expired client certificates

1. Log on to the NetScaler command line.

If you are using the GUI, navigate to the SSL Policies page, then in the

Data area, click the Actions tab.

2. Create an SSL action named act_current_client_cert that requires

that users have a current client certificate to establish an SSL connection

with the NetScaler.

add ssl action act_current_client_cert-clientAuth DOCLIENTAUTH

-clientCert ENABLED -certHeader "clientCertificateHeader"

-clientCertNotBefore ENABLED -certNotBeforeHeader "Mon, 01 Jan

2007 00:00:00 GMT"

3. Create an SSL policy named pol_current_client_cert that detects

connections to the Web server that contain a query string.

add ssl policy pol_current_ client_cert

'REQ.SSL.CLIENT.CERT.VALIDFROM >= "Mon, 01 Jan 2007 00:00:00

GMT"' act_block_ssl

4. Bind your new policy globally.

Since this SSL policy should apply to any user’s SSL connection unless a

more specific SSL policy applies, you may want to assign it a low priority.

If you assign it a priority of one thousand (1000), that should ensure that

other SSL policies are evaluated first, meaning that this policy will apply

only to connections that do not match more specific policy criteria.

Contents

Main Page Contents Preface Chapter 1 Introduction to Policies and Expressions Chapter 2 Configuring Advanced Policies Chapter 3 Configuring Advanced Expressions: Getting Started Chapter 4 Advanced Expressions: Evaluating Text Chapter 5 Advanced Expressions: Working with Dates, Times, and Numbers Chapter 6 Advanced Expressions: Parsing HTTP, TCP, and UDP Data Chapter 7 Advanced Expressions: Parsing SSL Certificates Chapter 8 Advanced Expressions: IP and MAC Addresses, Throughput, VLAN IDs Chapter 9 Advanced Expressions: String Sets, String Patterns, and Data Formats Chapter 10 Advanced Policies: Controlling the Rate of Traffic Chapter 11 Advanced Policies: Sending HTTP Service Callouts to Applications Chapter 12 Configuring Classic Policies and Expressions Appendix A Expressions Reference Appendix D Tutorial Examples of Classic Policies Appendix E Migration of Apache mod_rewrite Rules to Advanced Policies Appendix F New Advanced Expression Operators in This Release P Preface About This Guide Page New in This Release Audience Formatting Conventions This documentation uses the following formatting conventions Formatting Conventions Related Documentation Getting Service and Support Documentation Feedback Introduction to Policies and Expressions Advanced and Classic Policies Benefits of Using Advanced Policies Basic Components of an Advanced or a Classic Policy How Different NetScaler Features Use Policies NetScaler Feature, Policy Type, and Policy Usage About Actions and Profiles About Actions About Profiles Use of Actions and Profiles in Particular Features About Policy Bindings Following is an overview of different types of bind points for a policy: Use of Actions and Profiles in Different NetScaler Features About Evaluation Order of Policies Order of Evaluation Based on Traffic Flow Advanced and Classic Expressions About Advanced Expressions About Classic Expressions About Migration from Classic to Advanced Policies and Expressions Before You Proceed Page Configuring Advanced Policies Creating or Modifying an Advanced Policy Policy Configuration Examples Binding Advanced Policies Feature-Specific Differences in Policy Bindings Feature-Specific Bindings for Advanced Policies Bind Points and Order of Evaluation Advanced Policy Evaluation Across Features Entries in a Policy Bank Evaluation Order Within a Policy Bank How Policy Evaluation Ends How Features Use Actions After Policy Evaluation Binding a Policy Globally Page Binding a Policy to a Virtual Server Displaying Policy Bindings Unbinding an Advanced Policy Page Creating Policy Labels Creating a Policy Label Page Binding a Policy to a Policy Label Configuring a Policy Label or Virtual Server Policy Bank Configuring a Policy Label Page Configuring a Policy Bank for a Virtual Server Invoking or Removing a Policy Label or Virtual Server Policy Bank Page Configuring and Binding Policies with the Policy Manager Page Page Page Configuring Advanced Expressions: Getting Started Expression Characteristics Basic Elements of an Advanced Expression Prefixes Page Single-Element Expressions Operations Basic Operations on Expression Prefixes Compound Advanced Expressions Booleans in Compound Expressions Parentheses in Compound Expressions Compound Operations for Strings String-Based Operations for Compound Advanced Expressions Compound Operations for Numbers Page Page Page Page Page Page Page Page Classic Expressions in Advanced Expressions Configuring Advanced Expressions in a Policy Page Page Configuring Named Advanced Expressions Configuring Advanced Expressions Outside the Context of a Policy Page Advanced Expressions: Evaluating Text About Text Expressions About Operations on Text Compounding and Precedence in Text Expressions Categories of Text Expressions Guidelines for Text Expressions Expression Prefixes for Text Expression Prefixes for Text in HTTP Requests and Responses Page Page Page Page Page Page Page Page Expression Prefixes for VPNs and Clientless VPNs The following table describes the expression prefixes for this type of data. Page Page Page Page Page Page Page Page Operations on Text Basic Operations on Text Operations for Calculating the Length of a String Operations for Controlling Case Sensitivity Complex Operations on Text Operations on the Length of a String Operations on a Portion of a String You can extract a subset of a larger string using one of the operations in the following table. Basic Operations on a Portion of a String Operations on Strings Based on a Character Count Operations for Comparing the Alphanumeric Order of Two Strings Basic Operations on a Portion of a String Extracting the nth Integer from a String of Bytes that Represent Text Converting Text to a Hash Value Encoding and Decoding Text by Applying the Base64 Encoding Algorithm Refining the Search in a Rewrite Action by Using the EXTEND Operator Converting Text to Hexadecimal Format Page Advanced Expressions: Working with Dates, Times, and Numbers Format of Dates and Times in an Expression Dates and Times in a Rewrite Action Expressions for the NetScaler System Time Page Page Page Expressions for SSL Certificate Dates The following table describes time-based operations on SSL certificates. Page Page Page Page Page Page Page Expressions for HTTP Request and Response Dates Expression Prefixes for Numeric Data Other Than Date and Time Page Advanced Expressions: Parsing HTTP , TCP, and UDP Data About Evaluating HTTP and TCP Payload About Evaluating the Payload Body Expressions for HTTP Headers Prefixes for HTTP Headers The following table describes expression prefixes that extract HTTP headers. Page Page Page Page Page Operations for HTTP Headers Page Page Page Prefixes for Cache-Control Headers The following prefixes apply specifically to Cache-Control headers. Operations for Cache-Control Headers Prefixes That Extract Cache-Control Headers Page Operations That Evaluate Cache-Control Headers Expressions for Extracting Segments of URLs The following table describes prefixes for HTTP URLs that are not described elsewhere. Expressions for Numeric HTTP Payload Data Other Than Dates Prefixes That Extract URLs Prefixes That Evaluate HTTP Request or Response Length Operations for HTTP, HTML, and XML Encoding and Safe Characters Prefixes That Evaluate HTTP Request or Response Length Page Page Expressions for TCP, UDP, and VLAN Data Prefixes that Extract TCP and UDP Data XPath and JSON Expressions Page Page Page Page Advanced Expressions: Parsing SSL Certificates About SSL and Certificate Expressions Prefixes for Text-Based SSL and Certificate Data Prefixes for Numeric Data in SSL Certificates Expressions for SSL Certificates Page Page Page Page Page Advanced Expressions: IP and MAC Addresses, Throughput, VLAN IDs Expressions for IP Addresses and IP Subnets Prefixes for IPV4 Addresses and IP Subnets Operations for IPV4 Addresses About IPv6 Expressions Operations on IPV4 Addresses Expression Prefixes for IPv6 Addresses Operations for IPV6 Prefixes The following table describes operations on IPv6 IP addresses: Operations That Evaluate IPv6 Addresses IPv6 Expression Prefixes that Return Text Expressions for MAC Addresses Prefixes for MAC Addresses Operations for MAC Addresses Expressions for Numeric Client and Server Data Page Advanced Expressions: String Sets, String Patterns, and Data Formats Matching Text With Strings in a Set Note: The patterns in a pattern set can be regular expressions in PCRE format. Operators That Use a Pattern Set Operators That Compare Text and HTTP Headers With a Pattern Set Configuring a Pattern Set Page Page Page Matching Text With a Pattern Basic Characteristics of Regular Expressions Operations for Regular Expressions The following table describes operations that use regular expressions. Page Page Transforming Text and Numbers into Different Data Types The following table describes various typecasting operations. Page Page Page Page Page Page Page Page Page Page Page Page Advanced Policies: Controlling the Rate of Traffic About Policies that Monitor the Traffic Rate Expressions for Controlling the Traffic Rate Configuring Policies That Control the Traffic Rate Advanced Policies: Sending HTTP Service Callouts to Applications About Calling Out to an External Application About HTTP Callout Policies Note on the Format of an HTTP Request Note on the Format of an HTTP Response Configuring an HTTP Callout Policy Elements in an HTTP Callout Policy 1. In the left navigation pane, expand AppExpert, and then click HTTP Callouts. Elements in an HTTP Callout Policy Page For parameter descriptions, see the table, Elements in an HTTP Callout Policy, on page 188: Where: At a NetScaler command prompt, type: Invoking an HTTP Callout Policy If the return type is NUM, the following expression is valid: Notes on Invoking a Callout Page Page Configuring Classic Policies and Expressions Where Classic Policies Are Used Page Policy Type and Bind Points for Policies in Features That Use Classic Policies Viewing Classic Policies Configuring a Classic Policy Page Configuring a Classic Expression Page Page Page Binding a Classic Policy Page Creating Named Classic Expressions Page Expressions Reference Advanced Expressions Page Page Page Page Requests and Responses, on page 67 Page Page Page Page Page Page Page Classic Expressions Operators General Expressions Page Page Client Security Expressions Network-Based Expressions Date/Time Expressions File System Expressions Page Note: File system expressions do not support regular expressions. Built-In Named Expressions (General) Page Page Built-In Named Expressions (Anti-Virus) Built-In Named Expressions (Personal Firewall) Built-In Named Expressions (Client Security) A PPENDIX B Summary Examples of Advanced Expressions and Policies Page Page Page Page Page Page Page Tutorial Examples of Advanced Policies for Rewrite Redirecting an External URL to an Internal URL Page Redirecting a Query Redirecting HTTP to HTTPS Removing Unwanted Headers Reducing Web Server Redirects Masking the Server Header Page A D Tutorial Examples of Classic Policies Access Gateway Policy to Check for a Valid Client Certificate Application Firewall Policy to Protect a Shopping Cart Application Page Page Application Firewall Policy to Protect Scripted Web Pages DNS Policy to Drop Packets from Specific IPs SSL Policy to Require Valid Client Certificates Page A E Migration of Apache mod_rewrite Rules to Advanced Policies Converting URL Variations into Canonical URLs Converting Host Name Variations to Canonical Host Names Moving a Document Root Moving Home Directories to a New Web Server Working with Structured Home Directories Redirecting Invalid URLs to Other Web Servers 264 Citrix NetScaler Policy Configuration and Reference Guide NetScaler solution for redirection if a URL is wrong (method 2) Rewriting a URL Based on Time Apache mod_rewrite solution for rewriting a URL based on the time NetScaler solution for rewriting a URL based on the time Redirecting to a New File Name (Invisible to the User) Redirecting to New File Name (User-Visible URL) Accommodating Browser Dependent Content Blocking Access by Robots Blocking Access to Inline Images Creating Extensionless Links Page Redirecting a Working URI to a New Format Ensuring That a Secure Server Is Used for Selected Pages Apache mod_rewrite solution NetScaler solution using regular expressions NetScaler solution using pattern sets Page A F New Advanced Expression Operators in This Release Operators for Extracting and Evaluating Numeric Data Operators for Extracting and Evaluating Text The following operators have been introduced for extracting and evaluating text. New Operators for Extracting and Evaluating Numeric Data New Operators for Evaluating Text Operators for Extracting and Evaluating HTTP Data Operators for the CLIENT and ipv6 Expression Prefixes XPath and JSON Operators for Evaluating XML and JSON Data The following operators have been introduced for evaluating XML and JSON text. Operators for Evaluating Groups to Which a User Belongs XPath and JSON Operators for Evaluating XML and JSON Text Operators for Evaluating Groups to Which a User Belongs Index A B C Page D E Page F G H I L M N O P Page Q R S T U