Overview
This document covers Responder Policies on the Citrix ADC. Responder Policies are used if we want the Citrix ADC to tell the client to do something else besides just forward traffic to the service. A great example of this is redirecting a client to use HTTPS instead of HTTP when accessing website/Virtual Server. We can also use responder policies to redirect a client to a different URL.
Responder Policies depend on Responder Actions and define what criteria should the Citrix ADC respond with the associated action.
Requirements
- You will need to have an active Virtual Server to bind the responder policy to. This is true even if this is just redirecting to a website hosted externally. To setup a virtual server, refer to this document.
- If you are redirecting a URL to a different website, you probably will need to have a HTTPS virtual server since new browsers default to that protocol over HTTP. That said, you will need a certificate to bind to the Virtual Server to handle the redirect request.
Procedure
Creating the standard HTTP to HTTPS redirect
- Navigate to AppExpert->Responder-.Actions and click Add
- Name the action appropriately and set the Type Redirect. For the Expression, paste
- "https://" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE
Click on Create. As you can imagine, this takes various parts of the URL (Hostname, Path, and Query) that the client presents to the ADC, and the ADC responds back with the URL with https:// prepended
- Now navigate to AppExpert->Responder->Policies and click Add
- This Policy simply acts on any valid HTTP request that it receives.
- Now that the Responder Policy has been created, we will bind it to a HTTP service. Navigate to Traffic Management->Load Balancing->Virtual Servers and let's modify the existing HTTP Virtual Server we had created during the Basic Proxy Setup
- Under the Advanced Settings window on the right, click on Policies
- The Policies windows is added to the bottom of the Virtual Server summary page. Click on the + sign to add a Policy
- When prompted for the Policy Type, click on the drop down and select Responder and click continue
- Under the Policy Binding section in the Choose Type window, Add the Http_to_Https_redirect policy we just created and click on Bind
- Yes, you can bind multiple Policies to a Virtual Server and define the priority of which policy is evaluated first. In this case, we are just adding the one. Now that the Responder policy has been added, click on Done
- At this point, if you try browsing to this IP address using HTTP, it will redirect you to the HTTPS Virtual Server you had created in the SSL document. Unfortunately, if you just type in
http://<IP Address>
, the redirect will result in an error since the Certificate is bound to a domain name.
In this walkthrough, we bound this policy to a Virtual Server that is bound to a service with an actual server backend. In most deployments today, the HTTP Virtual Server is almost always performing an HTTP->HTTPS redirect to an HTTPS Virtual Server. In this example, if the sdc-t2019-dcc server was to go offline, not only would the HTTPS Virtual Server go down, but the HTTP redirect Virtual Server will as well. In most cases, we would actually create a server record with a non-existing address on our network with a monitor that just pings the loopback so that the server is up at all times regardless. We pick a non-existing IP address since we don't want to burn an actual usable IP since the client will never talk to an actual server on HTTP.
Redirecting to a different URL
We went through taking a client's URL request via HTTP and returning the URL with HTTPS instead so that the client will access the site using HTTPS. Now we will walkthrough a redirect to simply tell the client to go to a different URL altogether - which translates into a different action.
- Navigate back to AppExpert->Responder->Actions and click on Add
- Just like before, give the Action a descriptive name and select Type as Redirect. Now put in the URL you want to redirect the client to. In this case, we are picking the new NIC Athletics site hosted by Presto: https://northidaho.prestosports.com/landing/index
- Click Create. Now that we have defined the Action, let's define a Policy to determine when to respond with this action. Navigate back to AppExpert->Responder->Policies and click on Add
- After Naming the policy, select the Action we just created and add the following Expression
HTTP.REQ.HOSTNAME.CONTAINS("nicathletics")&&HTTP.REQ.URL.PATH_AND_QUERY.EQ("/")
- Basically, this expression just states that if the hostname in the URL contains "nicathletics" regardless of the path and or query, execute the Action associated with it. Click on Create
- Now that the Responder Policy has been created, you can bind this to a Virtual Server and if there is any request that hits the Virtual Server that matches the Expression, the ADC will send this URL back to the client as the redirect.
One thing to note about a URL redirect, and I touched on this earlier. Most browsers today default to HTTPS as the protocol (like Edge). This means that we would want a HTTPS Virtual Server defined to bind this responder policy to. What is important is that this Virtual Server must be able to process the initial HTTPS request. If the client sends a request to https://nicathletics.com, the ADC must process that HTTPS GET bound with the appropriate certificate. Todays browsers will balk if the incorrect certificate is bound to the Virtual Server.