flightPATH
The Configure—>flightPATH page allows you to view and update the flightPATH rules on the jetNEXUS ALB-X. The settings are organised in the
following sections:
What is flightPATH?
flightPATH
is a rule engine developed by edgeNEXUS to intelligently manipulate and
route HTTP and HTTPS traffic. It is highly configurable, very powerful
and yet very easy to use.
A flightPATH rule has three components:
Evaluation:
What can flightPATH do?
flightPATH can be used to modify Incoming and Outgoing HTTP(s) content and
requests. As well as using simple string matches such as “Starts with”,
“Ends With” etc. For more complete control powerful Perl Compatible
Regular Expressions can be implemented.
In addition, custom variables can be created and used in the Action enabling many different possibilities.
Details
The details section contains
the name and description of all of the flightPATH rules configured on
the ALB-X. As you click on a rule the details of the rule will show in
the section below.
To add a new flightPATH rule click Add New and give your rule a Name and Description then click Update to save this section.
Condition
- New conditions can be added by clicking, Add New button.
- Multiple conditions can be used but ALL must be met for the rule to execute.
- To use an OR you would need to create an additional flightPATH rule.
- Each condition contains three elements and a value or not depending on the condition.
Condition:
from the drop down list. You can start typing and the option will
auto-show, you can now select with arrow keys and tab to the next column
Match:
on the Condition, the Match maybe blank. For example if the Condition is Request Header the match might be User-Agent
Sense:
Check:
Value:
Condition |
Description |
Example |
| <form> | HTML forms are used to pass data to a server | Example “form doesn’t have length 0” |
| GEO Location | This compares the source IP address to the ISO 3166 Country Code | GEO Location does equal GB OR GEO Location does equal Germany |
| Host | This is the host extracted from the URL | www.mywebsite.com or 192.168.1.1 |
| Language | This is the Language extracted from the language HTTP header | This condition will produce a dropdown with a list of Languages |
| Method | This is a drop down of HTTP methods | his is a drop down that includes GET, POST etc |
| Origin IP | If upstream proxy supports X-Forwarded-for (XFF) it will use the true Origin address | Client IP. Can also use multiple IP’s or subnets.
10\.1\.2\.* is 10.1.2.0 /24 subnet |
| Path | This is the path of the website | /mywebsite/index.asp |
| POST | POST request method | Check data being uploaded to a website |
| Query | This is the name and Value of a Query as such it can either accept the query name or a value also | “Best=jetNEXUS” Where the Match is Best and the Value is edgeNEXUS |
| Query String | The whole query string after the ? character | |
| Request Cookie | This is the name of a cookie requested by a client | MS-WSMAN=afYfn1CDqqCDqUD:: |
| Request Header | This can be any HTTP Header | Referrer, User-Agent, From, Date |
| Request Version | This is the HTTP version | HTTP/1.0 OR HTTP/1.1 |
| Response Body | A user defined string in the response body | Server UP |
| Response Code | The http code for the response | 200 OK, 304 Not Modified |
| Response Cookie | This is the name of a cookie sent by the server | MS-WSMAN=afYfn1CDqqCDqUD:: |
| Response Header | This can be any HTTP Header | Referrer, User-Agent, From, Date |
| Response Version | The HTTP version sent by the server | HTTP/1.0 OR HTTP/1.1 |
| Source IP | This is either the origin IP, proxy server IP or some other aggregated IP address | Client IP, Proxy IP, Firewall IP. Can also use multiple IP’s and subnets. You must escape the dots as these are RegEX. Example 10\.1\.2\.3 is 10.1.2.3 |
Match |
Description |
Example |
| Accept | Content-Types that are acceptable | Accept: text/plain |
| Accept-Encoding | Acceptable encodings | Accept-Encoding: <compress | gzip | deflate | sdch | identity> |
| Accept-Language | Acceptable languages for response | Accept-Language: en-US |
| Accept-Ranges | What partial content range types this server supports | Accept-Ranges: bytes |
| Authorization | Authentication credentials for HTTP authentication | Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== |
| Charge-To | Contains account information for the costs of the application of the method requested | |
| Content-Encoding | The type of encoding used on the data. | Content-Encoding: gzip |
| Content-Length | The length of the response body in Octets (8-bit bytes) | Content-Length: 348 |
| Content-Type | The mime type of the body of the request (used with POST and PUT requests) | Content-Type: application/x-www-form-urlencoded |
| Cookie | an HTTP cookie previously sent by the server with Set-Cookie (below) | Cookie: $Version=1; Skin=new; |
| Date | Date and time at which the message was originated |
Date = “Date” “:” HTTP-date |
| ETag | An identifier for a specific version of a resource, often a message digest | ETag: “aed6bdb8e090cd1:0” |
| From | The email address of the user making the request | From: user@example.com |
| If-Modified-Since | Allows a 304 Not Modified to be returned if content is unchanged | If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT |
| Last-Modified | The last modified date for the requested object, in RFC 2822 format | Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT |
| Pragma | Implementation-specific headers that may have various effects anywhere along the request-response chain. | Pragma: no-cache |
| Referrer | This is the address of the previous web page from which a link to the currently requested page was followed | Referrer: http://www.edgenexus.io |
| Server | A name for the server | Server: Apache/2.4.1 (Unix) |
| Set-Cookie | an HTTP cookie | Set-Cookie: UserID=JohnDoe; Max-Age=3600; Version=1 |
| User-Agent | The user agent string of the user agent | User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) |
| Vary | Tells downstream proxies how to match future request headers to decide whether the cached response can be used rather than requesting a fresh one from the origin server |
Vary: User-Agent |
| X-Powered-By | Specifies the technology (e.g. ASP.NET, PHP, JBoss) supporting the web application | X-Powered-By: PHP/5.4.0 |
Check |
Description |
Example |
| Exist | This does not care for the detail of the condition just that it does/doesn’t Exist | Host — Does — Exist |
| Start | The string starts with the Value | Path — Does — Start — /secure |
| End | The string ends with the Value | Path — Does — End — .jpg |
| Contain | The string does contain the Value | Request Header — Accept — Does — Contain — image |
| Equal | The string does Equal the Value | Host — Does — Equal — www.jetnexus.com |
| Have Length | The string does have length of the value | Host — Does — Have Length — 16 www.jetnexus.com = TRUE www.jetnexus.co.uk = FALSE |
| Match RegEx | This enables you to enter a full Perl compatible regular expression | Origin IP — Does — Match Regex — 10\..* | 11\..* |
Example:
- The example below has two conditions and BOTH must be met to carry out the action
- The first is checking that the requested object is an image
- The second is checking for a specific hostname
Evaluation
Adding
a Variable is a very powerful feature that will allow you to extract
data from the request and include this in the actions.
For example you could log a user username or send an email if there is a security problem.
Variable:
Source:
Detail:
Value:
Source |
Description |
Example |
| Cookie | This is the name and value of the cookie header | MS-WSMAN=afYfn1CDqqCDqUD::
Where the name is MS-WSMAN and the value is afYfn1CDqqCDqUD:: |
| Host | This is the hostname extracted from the URL | www.mywebsite.com or 192.168.1.1 |
| Language | This is the language extracted from the Language HTTP header | This condition will produce a dropdown with a list of languages. |
| Method | This is a drop down of HTTP methods | The dropdown will include GET, POST |
| Path | This is the path of the website | /mywebsite/index.html |
| POST | POST request method | Check data being uploaded to a website |
| Query Item | This is the name and value of a query. As such it can either accept the query name or a value also | “Best=jetNEXUS” Where the Match is Best and the Value is edgeNEXUS |
| Query String | This is the whole string after the ? character | http://server/path/program?query_string |
| Request Header | This can be any header sent by the client | Referrer, User-Agent, From, Date… |
| Response Header | This can be any header sent by the server | Referrer, User-Agent, From, Date… |
| Version | This is the HTTP version | HTTP/1.0 or HTTP/1.1 |
Detail
|
Description |
Example |
| Accept | Content-Types that are acceptable | Accept: text/plain |
| Accept-Encoding | Acceptable encodings | Accept-Encoding: <compress | gzip | deflate | sdch | identity> |
| Accept-Language | Acceptable languages for response | Accept-Language: en-US |
| Accept-Ranges | What partial content range types this server supports | Accept-Ranges: bytes |
| Authorization | Authentication credentials for HTTP authentication | Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== |
| Charge-To | Contains account information for the costs of the application of the method requested | |
| Content-Encoding | The type of encoding used on the data. | Content-Encoding: gzip |
| Content-Length | The length of the response body in Octets (8-bit bytes) | Content-Length: 348 |
| Content-Type | The mime type of the body of the request (used with POST and PUT requests) | Content-Type: application/x-www-form-urlencoded |
| Cookie | an HTTP cookie previously sent by the server with Set-Cookie (below) | Cookie: $Version=1; Skin=new; |
| Date | Date and time at which the message was originated |
Date = “Date” “:” HTTP-date |
| ETag | An identifier for a specific version of a resource, often a message digest | ETag: “aed6bdb8e090cd1:0” |
| From | The email address of the user making the request | From: user@example.com |
| If-Modified-Since | Allows a 304 Not Modified to be returned if content is unchanged | If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT |
| Last-Modified | The last modified date for the requested object, in RFC 2822 format | Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT |
| Pragma | Implementation-specific headers that may have various effects anywhere along the request-response chain. | Pragma: no-cache |
| Referrer | This is the address of the previous web page from which a link to the currently requested page was followed | Referrer: http://www.edgenexus.io |
| Server | A name for the server | Server: Apache/2.4.1 (Unix) |
| Set-Cookie | an HTTP cookie | Set-Cookie: UserID=JohnDoe; Max-Age=3600; Version=1 |
| User-Agent | The user agent string of the user agent | User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) |
| Vary | Tells downstream proxies how to match future request headers to decide whether the cached response can be used rather than requesting a fresh one from the origin server |
Vary: User-Agent |
| X-Powered-By | Specifies the technology (e.g. ASP.NET, PHP, JBoss) supporting the web application | X-Powered-By: PHP/5.4.0 |
Example 1:
In the example below we have created a variable called ignorestart. It looks at the Path and ignores the first section called finance and use the latter part of the path as the contents of the variable.
This
method allows the use of regular expression groups to create the
variable. The example below only has one group so the value will be the
characters contained within the brackets. IF more than one group is
used in a regular expression the value will be taken from the last
group.
Path = /finance/budgets/alpha/1.html
$ignorestart$ = /budgets/alpha/1.html
Action
The action is the task or tasks that are enabled once the condition or conditions have been met.
Action:
Target:
view the drop down list. The list will change depending on the Action.
You may also type manually with some actions.
Data:
The list of all the actions are detailed below:
Action |
Description |
Example |
| Add Request Cookie | Add request cookie detailed in the Target section with value in Data section | Target= Cookie
Data= MS-WSMAN=afYfn1CDqqCDqCVii |
| Add Request Header | Add a request header of Target type with value in Data section | Target= Accept
Data= image/png |
| Add Response Cookie | Add Response Cookie detailed in the Target section with value in Data section | Target= Cookie
Data= MS-WSMAN=afYfn1CDqqCDqCVii |
| Add Response Header | Add request header detailed in the Target section with value in the Data section | Target= Cache-Control
Data= max-age=8888888 |
| Body Replace All | Search the Response Body and replace all instances | Target= http:// (Search string)
Data= https:// (Replacement string) |
| Body Replace First | Search the Response Body and replace first instance only | Target= http:// (Search string)
Data= https:// (Replacement string) |
| Body Replace Last | Search the Response Body and replace last instance only | Target= http:// (Search string)
Data= https:// (Replacement string) |
| Drop | This will drop the connection | Target= N/A
Data= N/A |
| Will send an email to the address configured in Email Events. You can use a variable as the address or the message | Target= “flightPATH has emailed this event”
Data= N/A |
|
| Log Event | This will log an event to the System log | Target= “flightPATH has logged this in syslog”
Data= N/A |
| Redirect 301 | This will issue a permanent redirect | Target= http://www.edgenexus.io Data= N/A |
| Redirect 302 | This will issue a temporary redirect | Target= http://www.edgenexus.io Data= N/A |
| Remove Request Cookie | Remove request cookie detailed in the Target section | Target= Cookie
Data= MS-WSMAN=afYfn1CDqqCDqCVii |
| Remove Request Header | Remove request header detailed in the Target section | Target=Server Data=N/A |
| Remove Response Cookie | Remove response cookie detailed in the Target section | Target=jnAccel |
| Remove Response Header | Remove the response header detailed in Target section | Target= Etag
Data= N/A |
| Replace Request Cookie | Replace request cookie detailed in the Target section with value in the Data section | Target= Cookie
Data= MS-WSMAN=afYfn1CDqqCDqCVii |
| Replace Request Header | Replace request header in the Target with Data value | Target= Connection
Data= keep-alive |
| Replace Response Cookie | Replace the response cookie detailed in Target section with value in Data section | Target=jnAccel=afYfn1CDqqCDqCVii Date=MS-WSMAN=afYfn1CDqqCDqCVii |
| Replace Response Header | Replace the response header detailed in Target section with value in Data section | Target= Server
Data= Withheld for Security |
| Rewrite Path | This will allow you to redirect the request to new URL based on the condition | Target= /test/path/index.html
Data= N/A |
| Use Secure Server | Select which secure server or virtual service to use | Target=192.168.101:443 Data=N/A |
| Use Server | Select which server or virtual service to use | Target= 192.168.101:80 Data= N/A |
Example:
The
action below will issue a temporary redirect to the browser to a secure
HTTPS Virtual Service. It will use the same hostname, path and querystring as
the request.
Diagnostics
Tick this box to enable a more detailed trace. This will log additional detail to the syslog and should be used for testing and troubleshooting only as it will increase latency and CPU.
Common Uses:
Application Firewall and Security:
- Block unwanted IPs
- Force user to HTTPS for specific (or all) content
- Block or redirect spiders
- Prevent and alert cross site scripting
- Prevent and alert SQL injection
- Hide internal directory structure
- Rewrite cookies
- Secure directory for particular users
Features:
- Redirect users based on path
- Provide Single sign on across multiple systems
- Segment users based on User ID or Cookie
- Add headers for SSL offload
- Language detection
- Rewrite user request
- Fix broken URLs
- Log and Email Alert 404 response codes
- Prevent directory access/ browsing
- Send spiders different content
Pre-Built Rules:
1. HTML Extension:
2. Index.html:
3. Close Folders:
4. Hide CGI-BBIN:
5. Log Spider:
6. Force HTTPS:
7. Media Stream:
8. Swap HTTP to HTTPS:
9. Blank out Credit Cards:
10. Content Expiry:
11. Spoof Server Type:
12. Never Send Errors:
13. Redirect on Language:
14. Google Analytics:
Back to Top