268 Citrix NetScaler Policy Configuration and Reference Guide

NetScaler solution for blocking a path and a User-Agent header

add responder action act1 respondwith '"HTTP/1.1 403 Forbidden\r\n\r\n"'

add responder policy pol1

'HTTP.REQ.HEADER("User_Agent").STARTSWITH("NameOfBadRobot")&&CLIENT

.IP.SRC.EQ(123.45.67.8)&&CLIENT.IP.SRC.EQ(123.45.67.9) && HTTP.REQ.URL.STARTSWITH("/~quux/foo/arc")' act1

bind responder global pol1 100

Blocking Access to Inline Images

If you find people frequently going to your server to copy inline graphics for their own use (and generating unnecessary traffic), you may want to restrict the browser’s ability to send an HTTP Referer header.

In the following example, the graphics are located in http://www.quux-corp.de/ ~quux/.

Apache mod_rewrite solution for blocking access to an inline image

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http://www.quux-corp.de/~quux/.*$

RewriteRule .*\.gif$ - [F]

NetScaler solution for blocking access to an inline image

add patset pat1

bind patset pat1 .gif

bind patset pat1 .jpeg

add responder action act1 respondwith '"HTTP/1.1 403 Forbidden\r\n\r\n"'

add responder policy pol1 '!HTTP.REQ.HEADER("Referer").EQ("") && !HTTP.REQ.HEADER("Referer").STARTSWITH("http://www.quux-corp.de/ ~quux/")&&HTTP.REQ.URL.ENDSWITH_ANY("pat1")' act1

bind responder global pol1 100

Creating Extensionless Links

To prevent users from knowing application or script details on the server side, you can hide file extensions from users. To do this, you may want to support extensionless links. You can achieve this behavior by using rewrite rules to add an extension to all requests, or to selectively add extensions to requests.

Page 282
Image 282
Citrix Systems 9.2 manual Blocking Access to Inline Images, Creating Extensionless Links