flightPATH
The Library — flightPATH page allows you to view and update the flightPATH rules on the jetNEXUS ALB-X. The settings are organised in the
following sections:
Although some components of flightPATH are IP objects, such as Source IP flightpath, they can only be applied to a Service Type.
What is flightPATH?
flightPATH
is a rule engine developed by edgeNEXUS to intelligently manipulate and
route HTTP and HTTPS traffic. It is highly configurable, very powerful
and yet very easy to use.
Although some components of flightPATH are IP objects such as Source IP flightPATH can only be applied to a Service Type equal to HTTP. If you choose any other service type then the flightPATH tab in IP Services will be blank.
A flightPATH rule has three components:
Evaluation:
Action:
What can flightPATH do?
- flightPATH can be used to modify Incoming and Outgoing HTTP(s) content and
requests. - As well as using simple string matches such as “Starts with”,
“Ends With” etc. For more complete control powerful Perl Compatible
Regular Expressions can be implemented. - For more on Regular Expressions please see this useful site https://www.regexbuddy.com/regex.html
- In addition, custom variables can be created and used in the Action enabling many different possibilities.
Details
The details section contains
the name and description of all of the flightPATH rules configured on
the ALB-X. As you click on a rule the details of the rule will show in
the section below.
To add a new flightPATH rule click Add New and give your rule a Name and Description then click Update to save this section.
Condition
- New conditions can be added by clicking, Add New button.
- Multiple conditions can be used but ALL must be met for the rule to execute.
- To use an OR you would need to create an additional flightPATH rule and apply this in IP Services.
- Each condition contains three elements and a value or not depending on the condition.
Condition:
from the drop down list. You can start typing and the option will
auto-show, you can now select with arrow keys and tab to the next column
Match:
on the Condition, the Match maybe blank. For example if the Condition is Request Header the match might be User-Agent
Sense:
Check:
Select from the drop down list. For a simple check use something like Start, End or Contain. If you wish to have more than one Check in the same line then please use Match Regex. Example Check = Match RegEx, Value = item1|intem2|item3Note: Match Regex uses Perl Compatible Regular Expression (PCRE). More information can be found at https://www.regexbuddy.com/
Value:
Condition |
Description |
Example |
<form> | HTML forms are used to pass data to a server | Example “form doesn’t have length 0” |
GEO Location | This compares the source IP address to the ISO 3166 Country Code | GEO Location does equal GB OR GEO Location does equal Germany |
Host | This is the host extracted from the URL | www.mywebsite.com or 192.168.1.1 |
Language | This is the Language extracted from the language HTTP header | This condition will produce a dropdown with a list of Languages |
Method | This is a drop down of HTTP methods | This is a drop down that includes GET, POST etc |
Origin IP | If upstream proxy supports X-Forwarded-for (XFF) it will use the true Origin address | Client IP. Can also use multiple IP’s or subnets.
10\.1\.2\.* is 10.1.2.0 /24 subnet |
Path | This is the path of the website | /mywebsite/index.asp |
POST | POST request method | Check data being uploaded to a website |
Query | This is the name and Value of a Query as such it can either accept the query name or a value also | “Best=jetNEXUS” Where the Match is Best and the Value is edgeNEXUS |
Query String | The whole query string after the ? character | |
Request Cookie | This is the name of a cookie requested by a client | MS-WSMAN=afYfn1CDqqCDqUD:: |
Request Header | This can be any HTTP Header | Referrer, User-Agent, From, Date |
Request Version | This is the HTTP version | HTTP/1.0 OR HTTP/1.1 |
Response Body | A user defined string in the response body | Server UP |
Response Code | The http code for the response | 200 OK, 304 Not Modified |
Response Cookie | This is the name of a cookie sent by the server | MS-WSMAN=afYfn1CDqqCDqUD:: |
Response Header | This can be any HTTP Header | Referrer, User-Agent, From, Date |
Response Version | The HTTP version sent by the server | HTTP/1.0 OR HTTP/1.1 |
Source IP | This is either the origin IP, proxy server IP or some other aggregated IP address | Client IP, Proxy IP, Firewall IP. Can also use multiple IP’s and subnets. You must escape the dots as these are RegEX. Example 10\.1\.2\.3 is 10.1.2.3 |
Match |
Description |
Example |
Accept | Content-Types that are acceptable | Accept: text/plain |
Accept-Encoding | Acceptable encodings | Accept-Encoding: <compress | gzip | deflate | sdch | identity> |
Accept-Language | Acceptable languages for response | Accept-Language: en-US |
Accept-Ranges | What partial content range types this server supports | Accept-Ranges: bytes |
Authorization | Authentication credentials for HTTP authentication | Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== |
Charge-To | Contains account information for the costs of the application of the method requested | |
Content-Encoding | The type of encoding used on the data. | Content-Encoding: gzip |
Content-Length | The length of the response body in Octets (8-bit bytes) | Content-Length: 348 |
Content-Type | The mime type of the body of the request (used with POST and PUT requests) | Content-Type: application/x-www-form-urlencoded |
Cookie | A HTTP cookie previously sent by the server with Set-Cookie (below) | Cookie: $Version=1; Skin=new; |
Date | Date and time at message was originated | Date = “Date” “:” HTTP-date |
ETag | An identifier for a specific version of a resource, often a message digest | ETag: “aed6bdb8e090cd1:0” |
From | The email address of the user making the request | From: user@example.com |
If-Modified-Since | Allows a 304 Not Modified to be returned if content is unchanged | If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT |
Last-Modified | The last modified date for the requested object, in RFC 2822 format | Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT |
Pragma | Implementation-specific headers that may have various effects anywhere along the request-response chain. | Pragma: no-cache |
Referrer | This is the address of the previous web page from which a link to the currently requested page was followed | Referrer: http://www.edgenexus.io |
Server | A name for the server | Server: Apache/2.4.1 (Unix) |
Set-Cookie | A HTTP cookie | Set-Cookie: UserID=JohnDoe; Max-Age=3600; Version=1 |
User-Agent | The user agent string of the user agent | User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) |
Vary | Tells downstream proxies how to match future request headers to decide whether the cached response can be used rather than requesting a fresh one from the origin server |
Vary: User-Agent |
X-Powered-By | Specifies the technology (e.g. ASP.NET, PHP, JBoss) supporting the web application | X-Powered-By: PHP/5.4.0 |
Check |
Description |
Example |
Exist | This does not care for the detail of the condition just that it does/doesn’t exist | Host — Does — Exist |
Start | The string starts with the Value | Path — Does — Start — /secure |
End | The string ends with the Value | Path — Does — End — .jpg |
Contain | The string does contain the Value | Request Header — Accept — Does — Contain — image |
Equal | The string does Equal the Value | Host — Does — Equal — www.jetnexus.com |
Have Length | The string does have length of the value | Host — Does — Have Length — 16 www.jetnexus.com = TRUE www.jetnexus.co.uk = FALSE |
Match RegEx | This enables you to enter a full Perl compatible regular expression | Origin IP — Does — Match Regex — 10\..* | 11\..* |
Example:
- The example below has two conditions and BOTH must be met to carry out the action
- The first is checking that the requested object is an image
- The second is checking for a specific hostname
Evaluation
Adding a Variable is a very powerful feature that will allow you to extract data from the request and include this in the actions. For example you could log a user username or send an email if there is a security problem.
- Variable: This must start and end with a $ symbol
- Source: Select from the drop down box the source of the variable
- Detail: Select from the list when relevant. If the Source=Request Header the Details could be User-Agent
- Value: Enter the text or regular expression to fine tune the variable.
Built-in Variables:
- Built-In variables have already been hard coded so you do not need to create an evaluation entry for these.
- You can use any of the variable listed below in your action
- The explanation for each variable is located in the “Condition” table above
- Method = $method$
- Path = $path$
- Querystring = $querystring$
- Sourceip = $sourceip$
- Response code (text also included “200 OK”) = $resp$
- Host = $host$
- Version = $version$
- Clientport = $clientport$
- Clientip = $clientip$
- Geolocation = $geolocation$”
Example Action:
- Action = Redirect 302
- Target = https://$host$/404.html
- Action = Log
- Target = A client from $sourceip$:$sourceport$ has just made a request $path$ page
Explanation:
- A client accessing page that does not exist would ordinarily be presented with a browsers 404 page
- In this instance the user is redirected to the original hostname they used but the wrong path is replaced with 404.html
- An entry is added to the syslog saying “A client from 154.3.22.14:3454 has just made a request to wrong.html page”
Source |
Description |
Example |
Cookie | This is the name and value of the cookie header | MS-WSMAN=afYfn1CDqqCDqUD::Where the name is MS-WSMAN and the value is afYfn1CDqqCDqUD:: |
Host | This is the hostname extracted from the URL | www.mywebsite.com or 192.168.1.1 |
Language | This is the language extracted from the Language HTTP header | This condition will produce a dropdown with a list of languages. |
Method | This is a drop down of HTTP methods | The dropdown will include GET, POST |
Path | This is the path of the website | /mywebsite/index.html |
POST | POST request method | Check data being uploaded to a website |
Query Item | This is the name and value of a query. As such it can either accept the query name or a value also | “Best=jetNEXUS” Where the Match is Best and the Value is edgeNEXUS |
Query String | This is the whole string after the ? character | http://server/path/program?query_string |
Request Header | This can be any header sent by the client | Referrer, User-Agent, From, Date… |
Response Header | This can be any header sent by the server | Referrer, User-Agent, From, Date… |
Version | This is the HTTP version | HTTP/1.0 or HTTP/1.1 |
Detail |
Description |
Example |
Accept | Content-Types that are acceptable | Accept: text/plain |
Accept-Encoding | Acceptable encodings | Accept-Encoding: <compress | gzip | deflate | sdch | identity> |
Accept-Language | Acceptable languages for response | Accept-Language: en-US |
Accept-Ranges | What partial content range types this server supports | Accept-Ranges: bytes |
Authorization | Authentication credentials for HTTP authentication | Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== |
Charge-To | Contains account information for the costs of the application of the method requested | |
Content-Encoding | The type of encoding used on the data. | Content-Encoding: gzip |
Content-Length | The length of the response body in Octets (8-bit bytes) | Content-Length: 348 |
Content-Type | The mime type of the body of the request (used with POST and PUT requests) | Content-Type: application/x-www-form-urlencoded |
Cookie | a HTTP cookie previously sent by the server with Set-Cookie (below) | Cookie: $Version=1; Skin=new; |
Date | Date and time at which the message was originated |
Date = “Date” “:” HTTP-date |
ETag | An identifier for a specific version of a resource, often a message digest | ETag: “aed6bdb8e090cd1:0” |
From | The email address of the user making the request | From: user@example.com |
If-Modified-Since | Allows a 304 Not Modified to be returned if content is unchanged | If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT |
Last-Modified | The last modified date for the requested object, in RFC 2822 format | Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT |
Pragma | Implementation-specific headers that may have various effects anywhere along the request-response chain. | Pragma: no-cache |
Referrer | This is the address of the previous web page from which a link to the currently requested page was followed | Referrer: http://www.edgenexus.io |
Server | A name for the server | Server: Apache/2.4.1 (Unix) |
Set-Cookie | an HTTP cookie | Set-Cookie: UserID=JohnDoe; Max-Age=3600; Version=1 |
User-Agent | The user agent string of the user agent | User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) |
Vary | Tells downstream proxies how to match future request headers to decide whether the cached response can be used rather than requesting a fresh one from the origin server |
Vary: User-Agent |
X-Powered-By | Specifies the technology (e.g. ASP.NET, PHP, JBoss) supporting the web application | X-Powered-By: PHP/5.4.0 |
Action
The action is the task or tasks that are enabled once the condition or conditions have been met.
Action:
Target:
view the drop down list. The list will change depending on the Action.
You may also type manually with some actions.
Data:
The list of all the actions are detailed below:
Action |
Description |
Example |
Add Request Cookie | Add request cookie detailed in the Target section with value in Data section | Target= Cookie
Data= MS-WSMAN=afYfn1CDqqCDqCVii |
Add Request Header | Add a request header of Target type with value in Data section | Target= Accept
Data= image/png |
Add Response Cookie | Add Response Cookie detailed in the Target section with value in Data section | Target= Cookie
Data= MS-WSMAN=afYfn1CDqqCDqCVii |
Add Response Header | Add request header detailed in the Target section with value in the Data section | Target= Cache-Control
Data= max-age=8888888 |
Body Replace All | Search the Response Body and replace all instances | Target= http:// (Search string)
Data= https:// (Replacement string) |
Body Replace First | Search the Response Body and replace first instance only | Target= http:// (Search string)
Data= https:// (Replacement string) |
Body Replace Last | Search the Response Body and replace last instance only | Target= http:// (Search string)
Data= https:// (Replacement string) |
Drop | This will drop the connection | Target= N/A
Data= N/A |
Will send an email to the address configured in Email Events. You can use a variable as the address or the message | Target= “flightPATH has emailed this event”
Data= N/A |
|
Log Event | This will log an event to the System log | Target= “flightPATH has logged this in syslog”
Data= N/A |
Redirect 301 | This will issue a permanent redirect | Target= http://www.edgenexus.io Data= N/A |
Redirect 302 | This will issue a temporary redirect | Target= http://www.edgenexus.io Data= N/A |
Remove Request Cookie | Remove request cookie detailed in the Target section | Target= Cookie
Data= MS-WSMAN=afYfn1CDqqCDqCVii |
Remove Request Header | Remove request header detailed in the Target section | Target=Server Data=N/A |
Remove Response Cookie | Remove response cookie detailed in the Target section | Target=jnAccel |
Remove Response Header | Remove the response header detailed in Target section | Target= Etag
Data= N/A |
Replace Request Cookie | Replace request cookie detailed in the Target section with value in the Data section | Target= Cookie
Data= MS-WSMAN=afYfn1CDqqCDqCVii |
Replace Request Header | Replace request header in the Target with Data value | Target= Connection
Data= keep-alive |
Replace Response Cookie | Replace the response cookie detailed in Target section with value in Data section | Target=jnAccel=afYfn1CDqqCDqCVii Date=MS-WSMAN=afYfn1CDqqCDqCVii |
Replace Response Header | Replace the response header detailed in Target section with value in Data section | Target= Server
Data= Withheld for Security |
Rewrite Path | This will allow you to redirect the request to new URL based on the condition | Target= /test/path/index.html$querystring$
Data= N/A |
Use Secure Server | Select which secure server or virtual service to use | Target=192.168.101:443 Data=N/A |
Use Server | Select which server or virtual service to use | Target= 192.168.101:80 Data= N/A |
Encrypt Cookie | This will 3DES Encrypt cookies and then base64 encode them | Target= Enter the cookie name to be encrypted, you may use the * as a wild card at the end Data= Enter a pass phrase for the encryption |
Example:
The action below will issue a temporary redirect to the browser to a secure
HTTPS Virtual Service. It will use the same hostname, path and querystring as
the request.
Common Uses:
Application Firewall and Security:
- Block unwanted IPs
- Force user to HTTPS for specific (or all) content
- Block or redirect spiders
- Prevent and alert cross site scripting
- Prevent and alert SQL injection
- Hide internal directory structure
- Rewrite cookies
- Secure directory for particular users
Features:
- Redirect users based on path
- Provide Single sign on across multiple systems
- Segment users based on User ID or Cookie
- Add headers for SSL offload
- Language detection
- Rewrite user request
- Fix broken URLs
- Log and Email Alert 404 response codes
- Prevent directory access/ browsing
- Send spiders different content
Pre-Built Rules:
1. HTML Extension:
Condition:
- Condition = Path
- Sense = Does
- Check = Match RegEx
- Value = \.htm$
- Blank
- Action = Rewrite Path
- Target = $path$l
2. Index.html:
- Condition = Host
- Sense = Does
- Check = Exist
- Blank
- Action = Redirect 302
- Target = http://$host$$path$index.html$querystring$
3. Close Folders:
- Condition = this need proper thought
- Sense =
- Check =
- Blank
- Action =
- Target =
4. Hide CGI-BBIN:
- Condition = Host
- Sense = Does
- Check = Match RegEX
- Value = \.cgi$
- Blank
- Action = Rewrite Path
- Target = /cgi-bin$path$
5. Log Spider:
- Condition = Request Header
- Match = User-Agent
- Sense = Does
- Check = Match RegEX
- Value = Googlebot|Slurp|bingbot|ia_archiver
- Variable = $crawler$
- Source = Request Header
- Detail = User-Agent
- Action = Log Event
- Target = [$crawler$] $host$$path$$querystring$
6. Force HTTPS:
a client is accessing anything containing the /secure/ directory then they
will be redirected to the https version of the URL requested.
- Condition = Path
- Sense = Does
- Check = Contain
- Value = /secure/
- Blank
- Action = Redirect 302
- Target = https://$host$$path$$querystring$
7. Media Stream:
- Condition = Path
- Sense = Does
- Check = End
- Value = .flv
- Blank
- Action = Redirect 302
- Target = http://$host$:8080/$path$
8. Swap HTTP to HTTPS:
- Condition = Response Code
- Sense = Does
- Check = Equal
- Value = 200 OK
- Blank
- Action = Body Replace All
- Target = http://
- Data = https://
9. Blank out Credit Cards:
- Condition = Response Code
- Sense = Does
- Check = Equal
- Value = 200 OK
- Blank
- Action = Body Replace All
- Target = [0-9]+[0-9]+[0-9]+[0-9]+-[0-9]+[0-9]+[0-9]+[0-9]+-[0-9]+[0-9]+[0-9]+[0-9]+-[0-9]+[0-9]+[0-9]+[0-9]+
- Data = xxxx-xxxx-xxxx-xxxx
10. Content Expiry:
- Condition = Response Code
- Sense = Does
- Check = Equal
- Value = 200 OK
- Blank
- Action = Add Response Header
- Target = Cache-Control
- Data = max-age=3600
11. Spoof Server Type:
- Condition = Response Code
- Sense = Does
- Check = Equal
- Value = 200 OK
- Blank
- Action = Replace Response Header
- Target = Server
- Data = Secret
12. Never Send Errors:
- Condition = Response Code
- Sense = Does
- Check = Contain
- Value = 404
- Blank
- Action = Redirect 302
- Target = http://$host$/
13. Redirect on Language:
- Condition = Language
- Sense = Does
- Check = Contain
- Value = German (Standard)
- Variable = $host_template$
- Source = Host
- Value = .*\.
- Action = Redirect 302
- Target = http://$host_template$de$path$$querystring$
14. Google Analytics:
- Condition = Response Code
- Sense = Does
- Check = Equal
- Value = 200 OK
- blank
- Action = Body Replace Last
- Target = </body>
- Data = <script
type=’text/javascript’> var _gaq = _gaq || [];
_gaq.push([‘_setAccount’, ‘MY GOOGLE CODE’]);
_gaq.push([‘_trackPageview’]); ( function() { var ga =
document.createElement(‘script’); ga.type = ‘text/javascript’; ga.async
= true; ga.src = (‘https:’ == document.location.protocol ?
‘https://ssl’ : ‘http://www’) + ‘.google-analytics.com/ga.js’; var s =
document.getElementsByTagName(‘script’)[0];
s.parentNode.insertBefore(ga, s); } )(); </script> </body>
15. IPv6 Gateway:
on IPv6 Services. IIS IPv4 servers do not like to see an IPV6 address
in the host client request so this rule replaces this with a generic
name.
- blank
Evaluation:
- blank
- Action = Replace Request Header
- Target = Host
- Data =ipv4.host.header
Back to Top