Академический Документы
Профессиональный Документы
Культура Документы
Contents
Responder ......................................................................................................
16
19
23
26
30
32
Troubleshooting ..................................................................................
37
38
39
Responder
Todays complex Web configurations often require different responses to HTTP requests
that appear, on the surface, to be similar. When users request a Web sites home page, you
may want to provide a different home page depending on where each user is located, which
browser the user is using, or which language(s) the browser accepts and the order of
preference. You might want to break the connection immediately if the request is coming
from an IP range that has been generating DDoS attacks or initiating hacking attempts.
With the Responder feature, responses can be based on who sends the request, where it is
sent from, and other criteria with security and system management implications. The
feature is simple and quick to use. By avoiding the invocation of more complex features, it
reduces CPU cycles and time spent in handling requests that do not require complex
processing.
For handling sensitive data such as financial information, if you want to ensure that the
client uses a secure connection to browse a site, you can redirect the request to secure
connection by using https:// instead of http://.
To use the Responder feature, do the following;
Configure responder actions. The action can be to generate a custom response, redirect
a request to a different Web page, or reset a connection.
Configure responder policies. The policy determines the requests (traffic) on which an
action has to be taken.
Bind each policy to a bind point put it into effect. A bind point refers to an entity at
which NetScaler examines the traffic to see if it matches a policy. For example, a bind
point can be a load balancing virtual server.
You can specify a default action for requests that do not match any policy, and you can
bypass the safety check for actions that would otherwise generate error messages.
The Rewrite feature of NetScaler helps in rewriting some information in the requests or
responses handled by NetScaler. The following section shows some differences between the
two features.
Responder
In case of a responder policy, the NetScaler examines the request from the client, takes
action according to the applicable policies, sends the response to the client, and closes the
connection with the client.
In case of a rewrite policy, the NetScaler examines the request from the client or response
from the server, takes action according to the applicable policies, and forwards the traffic
to the client or the server.
In general, it is recommended to use responder if you want the NetScaler to reset or drop a
connection based on a client or request-based parameter. Use responder to redirect traffic,
or respond with custom messages. Use rewrite for manipulating data on HTTP requests and
responses.
enable ns feature<feature>
show ns feature
Example
1)
2)
.
.
.
22) Responder
23) HTML Injection
24) NetScaler Push
Done
>
Acronym
------WL
SP
Status
-----ON
ON
RESPONDER
ON
HTMLInjection
ON
push
OFF
show ns feature
No parameters provided in this topic or the command has no parameters. View
description(s) in command reference Top
Example
add responder action act404Error respondWith '"HTTP/1.1 404 Not Found\r\n\r\n"+ "HTTP.REQ.URL.HTTP_URL
Done
> show responder action
1)
Name: act404Error
Operation: respondwith
Target: "HTTP/1.1 404 Not Found
add responder action act404Error respondWith '"HTTP/1.1 404 Not Found\r\n\r\n"+ "HTTP.REQ.URL.HTTP_URL
Done
> show responder action
1)
Name: act404Error
Operation: respondwith
Target: "HTTP/1.1 404 Not Found
Example
set responder action act404Error -target '"HTTP/1.1 404 Not Found\r\n\r\n"+ "HTTP.REQ.URL.HTTP_URL_SAF
Done
> show responder action
1)
Name: act404Error
Operation: respondwith
Target: "HTTP/1.1 404 Not Found
Example
To modify an existing action, select the action, and then click Open.
3. Click Create or OK, depending on whether you are creating a new action or modifying
an existing action.
4. Click Close. A message appears in the status bar, stating that the feature has been
enabled.
5. To delete a responder action, select the action, and then click Remove. A message
appears in the status bar, stating that the feature has been disabled.
10
11
save ns config
For <responder action name>, substitute the name of the responder action.
12
13
rm responder action
name
Name of the responder action to remove.
View description(s) in command reference Top
set ns httpProfile
reqTimeoutAction
Action to take when the HTTP request does not complete within the specified request
timeout duration. You can configure the following actions:
* RESET - Send RST (reset) to client when timeout occurs.
* DROP - Drop silently when timeout occurs.
* Custom responder action - Name of the responder action to trigger when timeout
occurs, used to send custom message.
14
save ns config
No parameters provided in this topic or the command has no parameters. View
description(s) in command reference Top
15
Example
16
Example
To modify an existing policy, select the policy, and then click Open.
3. Click Create or OK, depending on whether you are creating a new policy or modifying
an existing policy.
4. Click Close. A message appears in the status bar, stating that the feature has been
configured.
17
rm responder policy
No parameters provided in this topic or the command has no parameters. View
description(s) in command reference Top
18
Example
19
20
21
bind lb vserver
policyname
Name of the policy to bind to the virtual server.
View description(s) in command reference Top
22
23
Example
24
25
26
27
Example
> add responder action act_redirect redirect '" http ://www.example.com/404.html "'
> add responder policy pol_redirect "CLIENT.IP.SRC.IN_SUBNET(222.222.0.0/16)" act_redirect
28
29
Example
To create a Responder action and policy to respond to Diameter requests that originate
from "host1.example.net" with a redirect to "host.example.com", you could add the
following action and policy, and bind the policy as shown.
bind lb vserver
policyName
Name of the policy to bind to the virtual server.
View description(s) in command reference Top
31
32
33
RADIUS.REQ.AVP(8).VALUE(0).typecast_ip_address_at
AVP Type Expressions
The NetScaler ADC supports expressions to extract RADIUS AVP values by using the assigned
integer codes described in RFC2865 and RFC2866. You can also use text aliases to
accomplish the same task. Some examples follow.
RADIUS.REQ.AVP (1).VALUE or RADIUS.REQ.USERNAME.value
Extracts the RADIUS user-name value.
RADIUS.REQ.AVP (4). VALUE or RADIUS.REQ. ACCT_SESSION_ID.value
Extracts the Acct-Session-ID AVP (code 44) from the message.
RADIUS.REQ.AVP (26). VALUE or RADIUS.REQ.VENDOR_SPECIFIC.VALUE
Extracts the vendor-specific value.
The values of most commonly-used RADIUS AVPs can be extracted in the same manner.
RADIUS Bind Points
Four global bind points are available for policies that contain RADIUS expressions.
RADIUS_REQ_OVERRIDE
Priority/override request policy queue.
RADIUS_REQ_DEFAULT
Standard request policy queue.
RADIUS_RES_OVERRIDE
Priority/override response policy queue.
RADIUS_RES_DEFAULT
Standard response policy queue.
RADIUS Responder-Specific Expressions
34
Use Cases
Following are use cases for RADIUS with responder.
The priority
END as the nextExpr value, to ensure that policy evaluation stops when this policy is
matched
Example
add responder action rspActRadiusReject respondwith radius.new_accessreject
add responder policy rspPolRadiusReject client.ip.src.in_subnet(10.224.85.0/24) rspActRadiusReject
bind responder global rspPolRadiusReject 1 END -type RADIUS_REQ_OVERRIDE
35
36
Troubleshooting
If the responder feature does not work as expected after you have configured it, you can
use some common tools to access NetScaler resources and diagnose the problem.
37
The relevant trace files from the client and the NetScaler appliance
38
Issue
The Responder feature is configured, but the responder action is not working.
Resolution
Check the hit counters of any of the policies to see if the counters are getting
incremented.
Record the packet traces on the client and the NetScaler appliance, and analyze
the them to get some pointer to the issue.
Record the iehttpHeaters packet traces on the client and verify the HTTP requests
and responses to get some pointer to the issue.
Issue
39