Jump to content


Photo

Block HTTP/2 traffic in netscaler

Started by Samarjit Das , 20 April 2017 - 04:09 PM
19 replies to this topic

Best Answer Samarjit Das , 28 April 2017 - 01:36 AM

"set ns httpParam -dropInvalreqs ON" command helped to drop HTTP request with garbage value.

Samarjit Das Members

Samarjit Das
  • 13 posts

Posted 20 April 2017 - 04:09 PM

I've created a filter policy to send HTTP code 404 when matches "block" keyword("http.req.url contains block") and the rule is working fine except for the case when the request hits the netscaler with HTTP version 2.0 and the rule fails.

 

Is there a way in netscaler to create a rule to check HTTP version on incoming http request.



Nathan Joseph Members

Nathan Joseph
  • 57 posts

Posted 20 April 2017 - 04:58 PM

If you want to block HTTP/2 you can do this via an HTTP profile bound to your vServer. By default, however, I believe HTTP/2 is disabled already.

 

If you want to try and figure out why it isn't working for HTTP/2 you can try collecting the exact request being sent via the Developer Tools in the browser, or if this isn't browser based, use a tool like Fiddler. You can then pass that request into the policy evaluator tool within the NetScaler to see how it is processing against the policy.



Samarjit Das Members

Samarjit Das
  • 13 posts

Posted 20 April 2017 - 05:19 PM

I tried with  httpprofile option but it didn't help.



Nathan Joseph Members

Nathan Joseph
  • 57 posts

Posted 20 April 2017 - 05:35 PM

What are you actually seeing back? Is the traffic passing through or are you receiving something else?



Samarjit Das Members

Samarjit Das
  • 13 posts

Posted 21 April 2017 - 04:58 AM

I'm sending multiple HTTP requests with HTTP 1.1, HTTP 1.2, HTTP1.3 ...HTTP2.0, HTTP2.1 so on. The filter rule works as expected until request hit with HTTP 2.0.Once netscaler sees HTTP request with 2.0, it passes the request to back-end servers and all contents become visible at client laptop.



Carl Stalhood CTP Member

Carl Stalhood
  • 11,788 posts

Posted 21 April 2017 - 02:33 PM

It works for me in 12.0 beta.

 

Create a Responder Policy with Action = DROP (or Reset). Set the expression to what you want to block. Bind it to your SSL vServer that has HTTP/2 enabled.



Samarjit Das Members

Samarjit Das
  • 13 posts

Posted 21 April 2017 - 04:21 PM

Can please give me the rule which worked for you and the bind point.Did you try from Fiddler using HTTP/2.0 ?



Carl Stalhood CTP Member

Carl Stalhood
  • 11,788 posts

Posted 21 April 2017 - 04:59 PM

I basically did this.

 

For http/2 verification, I installed https://chrome.google.com/webstore/detail/http2-and-spdy-indicator/mpbpobfflnpcgagjijhmgnchggcjblin?hl=en

 

add ns httpProfile http2 -http2 ENABLED

add lb vserver expressiontest-ssl SSL 10.2.5.217 443 -persistenceType NONE -cltTimeout 180 -httpProfileName http2

add responder policy ExpressionTester "http.REQ.URL.CONTAINS(\"block\")" RESET

bind lb vserver expressiontest-ssl svcgrp-MyWebsite

bind lb vserver expressiontest-ssl -policyName ExpressionTester -priority 100 -gotoPriorityExpression END -type REQUEST

bind ssl vserver expressiontest-ssl -certkeyName WildcardCorpLocal



Samarjit Das Members

Samarjit Das
  • 13 posts

Posted 21 April 2017 - 05:34 PM

Did you try on VPX or MPX ? Not working on VPX for me.



Carl Stalhood CTP Member
  • #10

Carl Stalhood
  • 11,788 posts

Posted 21 April 2017 - 08:26 PM

Yep, VPX in my home lab. I just tried 11.1 build 53 and it also works. HTTP/2 to the site. Blocked if I enter "block" anywhere in the URL path.



Carl Stalhood CTP Member
  • #11

Carl Stalhood
  • 11,788 posts

Posted 21 April 2017 - 08:27 PM

http/2 was added to VPX in 11.0 and newer.



Samarjit Das Members
  • #12

Samarjit Das
  • 13 posts

Posted 22 April 2017 - 02:56 AM

@Carl, your replies are really helpful & quick. Even I tried on a VPX with build 11.0 but did not work. It looks like VPX rule can block http/2 request coming from a browser but fails to do so when sent from fiddler. Can you please do me a favor by hitting the url  from Fiddler [get https://vip_ip/block/ http/2.0]. Please notice, if you can open a connection channel with http/2, then all following requests even you fire using http/1.1, will get opened.



Samarjit Das Members
  • #13

Samarjit Das
  • 13 posts

Posted 22 April 2017 - 10:59 AM

I tested on below builds and 10.5 was able to block http/2 request.

 

10.5 Build 57.7

11.0 Build 68.12



Samarjit Das Members
  • #14

Samarjit Das
  • 13 posts

Posted 22 April 2017 - 11:13 AM

I think, 11.1 build 53.11 worked because release note says below for 11.1 build 53.11

 

 

All SSL-based policy expressions evaluate to FALSE in HTTP/2 connections.



Samarjit Das Members
  • #15

Samarjit Das
  • 13 posts

Posted 23 April 2017 - 04:02 AM

With this rule "HTTP.REQ.URL.CONTAINS(\"block\")", if I add a space followed after the keyword "block", it opens up the connection to back-end servers. What is the best way to adjust the rule so that even putting a white space after the keyword "block" ges blocked.

 

I'm trying https://www.abc.com/block /



Carl Stalhood CTP Member
  • #16

Carl Stalhood
  • 11,788 posts

Posted 23 April 2017 - 04:23 AM

HTTP.REQ.URL.CONTAINS should find the term anywhere in the URL, whether there's extra spaces or not.



Samarjit Das Members
  • #17

Samarjit Das
  • 13 posts

Posted 23 April 2017 - 04:37 AM

I'm trying to send a HTTP response code 404 when URL contains "block". So HTTP.REQ.URL.CONTAINS(\"block\") rule works good ( whether it's http/1,http/2 etc) to block "block" keyword with code 10.5 Build 57.7. I'm going to test on 11.1 build 53.11 but I assume it will work as you tested.

 

Now my security team is checking by putting some extra spaces after "block" keyword but in that case rule is not able to block. How to block even someone add extra space.



Samarjit Das Members
  • #18

Samarjit Das
  • 13 posts

Posted 24 April 2017 - 03:25 AM

Any idea how to block "block" keyword in the url when a white space added after block keyword and then forward slash(https://www.abc.com/block /) and  a white space before block keyword(https://www.abc.com/ block/)

 

I wrote below responder policy to check and send a respond code HTTP404 but it's not working,

 

HTTP.REQ.URL.REGEX_MATCH(re/block\s/)



Carl Stalhood CTP Member
  • #19

Carl Stalhood
  • 11,788 posts

Posted 24 April 2017 - 12:40 PM

When I use the original Responder policy expression and put spaces in the URL, it blocks correctly.

 

You might have to call Support so they can review your configuration.



Samarjit Das Members
  • #20

Samarjit Das
  • 13 posts

Posted 28 April 2017 - 01:36 AM

"set ns httpParam -dropInvalreqs ON" command helped to drop HTTP request with garbage value.


Best Answer