Adding a new flightPATH rule
|
Field
|
Description
|
|
FlightPATH Name
|
This field is for the name of the flightPATH rule. The name you provide here appears in and is referenced within other parts of the ADC.
|
|
Applied to VS
|
This column is read-only and shows the VIP to which the flightPATH rule is applied.
|
|
Description
|
Value representing a description provided for readability purposes.
|
Steps to add a flightPATH rule
1. First, click the Add New button located in the Details section.
2. Enter a name for your rule. Example Auth2
3. Enter a description of your rule
4. Once the rule has been applied to a service, you will see the Applied To column auto-populate with an IP address and port value
5. Don't forget to hit the Update button to save your changes or if you make a mistake, just hit cancel revert to the previous state.
Condition
A flightPATH rule can have any number of conditions. The conditions work on an AND basis allow you to set the condition on which the action is triggered. If you want to use an OR condition, create additional flightPATH rules and apply it to the VIP in the correct order.
You can also use RegEx by selecting Match RegEx in the Check field and the RegEx value in the Value field. The inclusion of RegEx evaluation extends the capability of flightPATH tremendously.
Creating a new flightPATH condition
You first have to select a value from the Condition column.
We provide several Conditions within the dropdown and cover all foreseen scenarios. When new Conditions are added, these will be available through Jetpack updates.
Choices available are:
|
CONDITION
|
DESCRIPTION
|
EXAMPLE
|
|
<form>
|
HTML forms are used to pass data to a server
|
Example "form doesn't have length 0"
|
|
GEO Location
|
Compares the source IP address to the ISO 3166 Country Codes
|
GEO Location does equal GB, OR GEO Location does equal Germany
|
|
Host
|
Host extracted from the URL
|
www.mywebsite.com or 192.168.1.1
|
|
Language
|
Language extracted from the language HTTP header
|
This condition will produce a dropdown with a list of Languages
|
|
Method
|
Dropdown of HTTP methods
|
Dropdown that includes GET, POST, etc
|
|
Origin IP
|
If upstream proxy supports X-Forwarded-for (XFF) it will use the true Origin address
|
Client IP. It can also use multiple IPs or subnets.
10\.1\.2\.* is 10.1.2.0 /24 subnet
10\.1\.2\.3|10\.1\.2\.4 Use | for multiple IP’s
|
|
Path
|
Path of the website
|
/mywebsite/index.asp
|
|
POST
|
POST request method
|
Check data being uploaded to a website
|
|
Query
|
Name and value of a query, and can either accept the query name or a value also
|
"Best=jetNEXUS" Where the Match is Best and the Value is edgeNEXUS
|
|
Query String
|
The whole query string after the ? character
|
|
|
Request Cookie
|
Name of a cookie requested by a client
|
MS-WSMAN=afYfn1CDqqCDqUD::
|
|
Request Header
|
Any HTTP Header
|
Referrer, User-Agent, From, Date
|
|
Request Version
|
The HTTP version
|
HTTP/1.0 OR HTTP/1.1
|
|
Response Body
|
A user defined string in the response body
|
Server UP
|
|
Response Code
|
The HTTP code for the response
|
200 OK, 304 Not Modified
|
|
Response Cookie
|
The name of a cookie sent by the server
|
MS-WSMAN=afYfn1CDqqCDqUD::
|
|
Response Header
|
Any HTTP Header
|
Referrer, User-Agent, From, Date
|
|
Response Version
|
The HTTP version sent by the server
|
HTTP/1.0 OR HTTP/1.1
|
|
Source IP
|
Either the origin IP, proxy server IP, or some other aggregated IP address
|
Client IP, Proxy IP, Firewall IP. Can also use multiple IP and subnets. You must escape the dots as these are RegEX. Example 10\.1\.2\.3 is 10.1.2.3
|
Match
The Match field can be either a drop-down or a text value and is definable depending on the value in the Condition field. For example, if the Condition is set to Host, the Match field is not available. If the Condition is set to <form>, the Match field is shown as a text field, and if the Condition is POST, the Match field is presented as a drop-down containing pertinent values.
Choices available are:
|
MATCH
|
DESCRIPTION
|
EXAMPLE
|
|
Accept
|
Content-Types that are acceptable
|
Accept: text/plain
|
|
Accept-Encoding
|
Acceptable encodings
|
Accept-Encoding: <compress | gzip | deflate | sdch | identity>
|
|
Accept-Language
|
Acceptable languages for response
|
Accept-Language: en-US
|
|
Accept-Ranges
|
What partial content range types this server supports
|
Accept-Ranges: bytes
|
|
Authorization
|
Authentication credentials for HTTP authentication
|
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
|
|
Charge-To
|
Contains account information for the costs of the application of the method requested
|
|
|
Content-Encoding
|
The type of encoding used
|
Content-Encoding: gzip
|
|
Content-Length
|
The length of the response body in Octets (8-bit bytes)
|
Content-Length: 348
|
|
Content-Type
|
The mime type of the body of the request (used with POST and PUT requests)
|
Content-Type: application/x-www-form-urlencoded
|
|
Cookie
|
A HTTP cookie previously sent by the server with Set-Cookie (below)
|
Cookie: $Version=1; Skin=new;
|
|
Date
|
Date and time at message was originated
|
Date = “Date” “:” HTTP-date
|
|
ETag
|
An identifier for a specific version of a resource, often a message digest
|
ETag: “aed6bdb8e090cd1:0”
|
|
From
|
The email address of the user making the request
|
From: user@example.com
|
|
If-Modified-Since
|
Allows a 304 Not Modified to be returned if the content is unchanged
|
If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT
|
|
Last-Modified
|
The last modified date for the requested object, in RFC 2822 format
|
Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT
|
|
Pragma
|
Implementation: Specific headers that may have various effects anywhere along the request-response chain.
|
Pragma: no-cache
|
|
Referrer
|
Address of the previous web page from which a link to the currently requested page was followed
|
Referrer: HTTP://www.edgenexus.io
|
|
Server
|
A name for the server
|
Server: Apache/2.4.1 (Unix)
|
|
Set-Cookie
|
A HTTP cookie
|
Set-Cookie: UserID=JohnDoe; Max-Age=3600; Version=1
|
|
User-Agent
|
The user agent string of the user agent
|
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
|
|
Vary
|
Tells downstream proxies how to match future request headers to decide
whether the cached response can be used rather than requesting a fresh
one from the origin server
|
Vary: User-Agent
|
|
X-Powered-By
|
Specifies the technology (e.g. ASP.NET, PHP, JBoss) supporting the web application
|
X-Powered-By: PHP/5.4.0
|
Sense
The Sense field is a drop-down Boolean field and contains either Does or Doesn't choices.
Check
The Check field allows the setting of check values against the Condition.
Choices available are: Contain, End, Equal, Exist, Have Length, Match RegEx, Match List, Start, Exceed Length
|
CHECK
|
DESCRIPTION
|
EXAMPLE
|
|
Exist
|
This does not care for the detail of the condition just that it does/doesn't exist
|
Host > Does >Exist
|
|
Start
|
The string starts with the Value
|
Path >Does >Start >/secure
|
|
End
|
The string ends with the Value
|
Path >Does >End — .jpg
|
|
Contain
|
The string does contain the Value
|
Request Header >Accept >Does >Contain >image
|
|
Equal
|
The string does Equal the Value
|
Host >Does >Equal >www.edgenexus.io
|
|
Have Length
|
The string does have a length of the value
|
Host >Does >Have Length >16
www.edgenexus.io = TRUE
www.edgenexus.com = FALSE
|
|
Match RegEx
|
Enables you to enter a full Perl compatible regular expression
|
Origin IP >Does >Match Regex
|
|
Match List
|
Enables you to match the value against a list of values. This is useful when there are say, specific IP addresses that need matching against. Values are separated using commas (,) or pip (|).
|
Source IP > Does > Match List > 10.10.10.1, 10.10.10.2, 10.10.10.3 etc
|
|
Exceed Length
|
Allows you to check if the value exceeds the length specified.
|
Path > Does > Exceed Length > 200
|
Steps to add a Condition
Adding a new flightPATH Condition is very easy. An example is shown above.
1. Click the Add New button within the Condition area.
2. Choose a condition from the drop-down box. Let's take Host as an example. You can also type into the field, and the ADC will show the value in a drop-down.
3. Choose a Sense. For example, Does
4. Choose a Check. For example, Contain
5. Choose a value. For example, mycompany.com
The above example shows that there are two conditions that both have to be TRUE for the rule to complete
The first is checking that the requested object is an image
The second checks whether the host in the URL is www.imagepool.com
Evaluation
The ability to add definable variables is a compelling capability. Other ADC's offer this capability using scripting or command-line options that are not ideal for anyone. The EdgeADC allows you to define any number of variables using an easy-to-use GUI, as shown and described below.
flightPATH variable definition comprises four entries that need to be made.
Variable – this is the name of the variable
Source – a drop-down list of possible source points
Detail – select values from a drop-down or manually typed.
Value – the value that the variable holds and can be an alphanumeric value or a RegEx for fine-tuning.
Built-in Variables:
Built-In variables have already been hardcoded, so you do not need to create an evaluation entry for these.
You can use any of the variables listed below in the Action section.
$sourceip$ - The source IP address of the request
$sourceport$ - The source port that was used
$clientip$ - The IP address of the client
$clientport$ - The port used by the client
$host$ - The host named in the request
$method$ - The method used: GET, POST etc
$path$ - The path specified in the request
$querystring$ - The querystring used in the request
$version$ - The version of the HTTP request in the REQUEST (only 1 and 1.1 allowed at present).
$resp$ - The RESPONSE from the server. eg. 200OK, 404 etc.
$geolocation$ - The GEO location from where the request originated.
|
ACTION
|
TARGET
|
|
Action = Redirect 302
|
Target = HTTPs://$host$/404.html
|
|
Action = Log
|
Target = A client from $sourceip$:$sourceport$ has just made a request $path$ page
|
Explanation:
A client accessing page that does not exist would ordinarily be presented with the browser’s 404 Error page
Instead, the user is redirected to the original hostname they used, but the incorrect path is replaced with 404.html
An entry is added to the Syslog saying, "A client from 154.3.22.14:3454 has just requested the wrong.html page."
Action
The next stage in the process is to add an action associated with the flightPATH rule and condition.
In this example, we want to rewrite the path portion of the URL to reflect the URL typed by the user.
Click Add New
Choose Rewrite Path from the Action drop-down menu
In the Target field, type in $path$/myimages
Click Update
This action will add /myimages to the path, so the final URL becomes www.imagepool.com/myimages
|
Action
|
Description
|
Example
|
|
Add Request Cookie
|
Add request cookie detailed in the Target section with value in Data section
|
Target= Cookie Data= MS-WSMAN=afYfn1CDqqCDqCVii
|
|
Add Request Header
|
Add a request header of Target type with value in Data section
|
Target= Accept Data= image/png
|
|
Add Response Cookie
|
Add Response Cookie detailed in the Target section with value in Data section
|
Target= Cookie Data= MS-WSMAN=afYfn1CDqqCDqCVii
|
|
Add Response Header
|
Add request header detailed in the Target section with value in the Data section
|
Target= Cache-Control Data= max-age=8888888
|
|
Body Replace All
|
Search the Response Body and replace all instances
|
Target= http:// (Search string) Data= https:// (Replacement string)
|
|
Body Replace First
|
Search the Response Body and replace first instance only
|
Target= http:// (Search string) Data= https:// (Replacement string)
|
|
Body Replace Last
|
Search the Response Body and replace last instance only
|
Target= http:// (Search string) Data= https:// (Replacement string)
|
|
Drop
|
This will drop the connection
|
Target= N/A Data= N/A
|
|
e-Mail
|
Will send an email to the address configured in Email Events. You can use a variable as the address or the message
|
Target= “flightPATH has emailed this event” Data= N/A
|
|
Log Event
|
This will log an event to the System log
|
Target= “flightPATH has logged this in syslog” Data= N/A
|
|
Redirect 301
|
This will issue a permanent redirect
|
Target= http://www.edgenexus.io Data= N/A
|
|
Redirect 302
|
This will issue a temporary redirect
|
Target= http://www.edgenexus.io Data= N/A
|
|
Remove Request Cookie
|
Remove request cookie detailed in the Target section
|
Target= Cookie Data= MS-WSMAN=afYfn1CDqqCDqCVii
|
|
Remove Request Header
|
Remove request header detailed in the Target section
|
Target=Server Data=N/A
|
|
Remove Response
|
Remove response cookie detailed in the Target section Cookie
|
Target=jnAccel
|
|
Remove Response
|
Remove the response header detailed in Target section Header
|
Target= Etag Data= N/A
|
|
Replace Request Cookie
|
Replace request cookie detailed in the Target section with value in the Data section
|
Target= Cookie Data= MS-WSMAN=afYfn1CDqqCDqCVii
|
|
Replace Request Header
|
Replace request header in the Target with Data value
|
Target= Connection Data= keep-alive
|
|
Replace Response
|
Replace the response cookie detailed in Target section with value in Data section Cookie
|
Target=jnAccel=afYfn1CDqqCDqCVii Date=MSWSMAN=afYfn1CDqqCDqCVii
|
|
Replace Response
|
Replace the response header detailed in Target section with value in Data section Header
|
Target= Server Data= Withheld for Security
|
|
Rewrite Path
|
This will allow you to redirect the request to new URL based on the condition
|
Target= /test/path/index.html$querystring$ Data= N/A
|
|
Use Secure Server
|
Select which secure server or virtual service to use
|
Target=192.168.101:443 Data=N/A
|
|
Use Server
|
Select which server or virtual service to use
|
Target= 192.168.101:80 Data= N/A
|
|
Encrypt Cookie
|
This will 3DES Encrypt cookies and then base64 encode them
|
Target= Enter the cookie name to be encrypted, you may use the * as a wild card at the end Data= Enter a pass phrase for the encryption
|
A flightPATH rule scenario
A customer has an e-commerce site and is having issues with cookies being blocked by the latest versions of a browser.
The customer traces the issues and finds the root cause to be the lack of ‘secure’ and ‘same-site’ tagging for the cookies in question.
Let’s look at how flightPATH can help.
We have a cookie by the name ‘wp_woocommerce_session_97929973749972642’
The name of the cookie is ‘wp_woocommerce_session_’ with a random unique ID value of ‘97929973749972642’ generated by the e-commerce system.
The tags for ‘same-site’ and ‘secure’ tags appear to be blank, hence the cookie is blocked by the browser’s new security restrictions.
To prevent this happening, we can create the following flightPATH rules.
flightPATH Rule for Session ID
o Condition:
Leave blank
o Evaluation:
Variable = $variable_1$
Source = Response cookie
Detail = wp_woocommerce_session_*
o Action:
Action = Replace Response Cookie
Target = wp_woocommerce_session_*
Data = $variable_1$
flightPATH Rule for Tags
o Condition:
Condition = Response Cookie
Match = woocommerce_cart_hash
Sense = Does
Check = Exist
Value = Leave blank
o Evaluation:
Variable = $variable_2$
Source = Response Cookie
Detail = woocommerce_cart_hash
Value = Leave blank
o Action:
Action = Replace Response Cookie
Target = woocommerce_cart_hash
Data = $variable_2$,SameSite=None,Secure
Now you apply the rules to the Virtual Service(s) that require them.
