Citrix NetScaler has one of the most powerful policy and expressions engine on the market. We will show how to optimize and avoid lengthy expressions. We will demo how to use some of the powerful yet simple features like pattern-sets for powerful rewrite rules and how to convert those old standard expressions to advanced. How to identify different types of devices like smartphones and tablets in your XenMobile/web deliveries.
In this seesion you will learn how to:
• Convert from standard to advanced expressions
• Identify clients (smartphones, tablets, etc.)
• Use features like Pattern sets/String maps for effective expressions when modifying data on the fly
• An introduction to using regex and what it can do for you
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Syn504 unleashing the power of the net scaler policy and expressions engine - final
1. SYN504 - UNLEASHING THE POWER OF THE
NETSCALER POLICY AND EXPRESSIONS ENGINE
MAY 6 – 4.00PM
Henrik Johansson
Twitter: @HenrikJay
Web: https://www.ngenx.com || https://henrikjay.com
Email: henrik.johansson@ngenx.com || henrik@henrikjay.com
3. CTP, CCIA and AWS certified Architect.
Director of Professional Services.
13+ years Citrix experience,17+ years IT.
NetScaler Wizard, Public Cloud, Security,
Evangelist and Speaker.
Speaker bio compressed
Henrik Johansson
Twitter: @HenrikJay
Web: https://www.ngenx.com || https://henrikjay.com
Email: henrik.johansson@ngenx.com || henrik@henrikjay.com
4. Founded in 2000, nGenx is a pioneer in cloud-based application delivery.
Throughout our history, we have always pushed the envelope with
technology while working to build bridges between all of our technology
partners, including Microsoft, Citrix, Cisco, Amazon Web Services, NetApp,
RES, Google Chrome, Dell/Compellent, Intuit and others. Working with these
partners, we have developed a dynamic set of cloud solutions.
nGenx – White label CSP
5. • What is a policy
• NetScaler Policies Use cases
• Classic vs default
• RegEx intro
• Optimizing expressions
Agenda at a glance
6. • Policies control how a feature evaluate data and thru that determine
what action to take for the data thru the use of logical expressions.
• A policy can trigger a simple effect like DROP, nothing (NOOP) or a
complex action/chain thru profiles.
What are NetScaler policies
8. • Enables you to route, modify, control traffic based on:
• Phone model, browser type, OS
• Control content delivery
• Block unsecure features on certain browsers
• Can be used to trigger other policies like:
• Redirect thru responder, Rewrite,
• Example:
add responder policy RESP_BLOCK_FF_POL "HTTP.REQ.HEADER("User-
Agent").SET_TEXT_MODE(IGNORECASE).CONTAINS("Mozilla")" DROP
Use case - Client/browser identification
9. • Enables you actively modify and rewrite content on the fly
• For example requested URL’s, text, metadata
• Example:
add rewrite action RW_RES_CMPMode_ACT insert_before
"HTTP.RES.BODY(10000).SUBSTR(”<meta")" q{"<meta http-equiv="X-UA-
Compatible" content="IE=EmulateIE7" />"}
Use case - Rewrites
10. • Use HTTP CallOut to verify client IP or username
• Fetch back end-pages for response replacement.
• Can be used to trigger other policies like:
• Redirect thru responder, Rewrite,
• Example:
set policy httpcallout CheckUser –ipaddress 10.10.10.10 –port 80 -returntype
text –httpmethod get –urlstemexpr '"/CheckIP&”+HTTP.REQ.USER.NAME"' -
resultexpr 'http.res.body(5)'
sys.http_callout(CheckUser)
Use case - White/blacklisting
11. Only support Classic
Support Default
• Authentication, Pre-authentication
• SSL
• Cache redirection
• VPN (session, traffic, and tunnel traffic)
• Content filtering (use Responder instead)
Classic to Default
• Application firewall policies
• Authorization policies
• Named expressions
• Compression policies
• Content switching policies
• User-defined, rule-based tokens/persistency
12. Manual
• root@ns# nspepi -e "RES.HTTP.HEADER Content-Type CONTAINS
application/msword"
• "HTTP.RES.HEADER("Content-
Type").AFTER_STR("application/msword").LENGTH.GT(0)”
• root@ns# nspepi -e "URL != '/*.gif'"
• "HTTP.REQ.URL.REGEX_MATCH(re#/(.*).gif#).NOT”
• Is this the most optimal rule?
Expression conversion
13. Full config
root@ns# cd /nsconfig
root@ns# nspepi -f ns.conf
OUTPUT: New configuration file created: new_ns.conf
OUTPUT: New warning file created: warn_ns.conf
root@ns#
Expression conversion
14. Remember:
• The commands that exceed 1499 character limit must be manually
updated.
• Multiple classic can share priority 0. Not supported in Default
• Error lines shown after command and in warning file
• Use as guidance
• Test…Test…and when done…Test again!
Expression conversion
15. What is RegEx
A regular expression is a sequence or pattern of characters that is matched
against a string of text when performing searches.
NetScaler uses PCRE
Patterns are selective and can search any part of the string.
Searches can use different entry points and look back and forward
RegEx uses delimeters to select text: re~test|test2~
These can be anything that is unique
RegEx
16. RegEx
Metacharacter Function Example What if Matches
^ Beginning-of-line anchor /^love/ Matches all lines beginning with love
$ End-of-line anchor /love$/ Matches all lines ending with love
. Matches one character /l..e/ Matches lines containing an l, followed by two characters,
followed by an e
* Matches zero or more of the
preceding characters
/ *love/ Matches lines with zero or more spaces, followed by the
pattern love
[] Matches one character in
the set
/[Ll]ove Matches lines containing love or Love
[x-y] Matches one character
within a range in the set
/[A-Z]ove/ Matches letters from A through Z followed by ove
[^] Matches one character not
on a set
/[^A-Z]/ Matches any character not in the range between A and Z.
Used to escape a character /love./ Matches lines containing love, followed by a literal period
17. RegEx
Metacharacter Function Definition
d Match any digit [0-9]
w Match any word character [A-Za-z0-9_]
s Match any whitespace character [ tn]
D Match any NON-digit [^d]
W Match any NON-word character [^w]
S Match any NON-whitespace
character
[^s]
18. Example
I have a lovely time on our little picnic.
Lovers were all around us. It is springtime. Oh
love, how much I adore you. Do you know
the extent of my love? Oh, by the way, I think
I lost my gloves somewhere out in that field of
clover. Did you see them? I can only hope love
is forever. I live for you. It's hard to get back in the
groove.
/ove[^a-zA-Z0-9]/
RegEx
19. • What are you trying to find, don’t evaluate full result
• http.req.url.suffix.contains("jpeg”)
• http.req.url.suffix.eq("jpeg")
• Regex takes more resources, but can match multiple values
• Match multiple items in single request
• HTTP.REQ.HOSTNAME.SERVER.REGEX_MATCH(re~host1|host2~)
• HTTP.REQ.HEADER("Example").AFTER_STR("more”)
• Is better then
• HTTP.REQ.HEADER("Example").AFTER_REGEX(re/more/)
Policy optimization
20. • A PatternSet is an excellent way to match multiple values
• Example: Checking for filetypes or hosts
add policy patset PatSet_AllowedHosts
bind policy patset PatSet_AllowedHosts host1 -index 1
bind policy patset PatSet_AllowedHosts host3 -index 2
HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).CONTAINS_ANY("PatSet
_AllowedHosts")"
Policy optimization – PatternSet
23. • Always use the correct policy expression
Example:
HTTP.REQ.URL.QUERY
Performs better than
HTTP.REQ.URL.AFTER_STR("?")
which is based on string parsing that have to look thru the whole query
Policy optimization – Correct policy
24. • TypeCasting allow you to convert data
HTTP.REQ.HEADER("Example").AFTER_STR(",").BEFORE_STR(",")
Can be optimized by changing into
HTTP.REQ.HEADER("Example").TYPECAST_LIST_T(',').GET(1)
SET_TEXT_MODE(IGNORECASE) is excellent when working with rewrite
Policy optimization - TypeCasting
27. Before you leave…
Conference surveys are available online at www.citrixsynergy.com starting
Thursday, May 8 at 9:00 a.m.
ᵒ Provide your feedback by 6:00 p.m. that day to be entered to win one of many prizes
Download presentations starting Monday, May 19, from your My Event
Planning Tool
Hinweis der Redaktion
Info on tweets
This session will focus some time on requirements for implementing HDX Insight and why but quickly move on and show live demos How to implement and especially how easy it is.
Will change…
Before moving on with some of the actual code, lets take a look at some use cases for policies and expressions
Before moving on with some of the actual code, lets take a look at some use cases for policies and expressions
Before moving on with some of the actual code, lets take a look at some use cases for policies and expressions