How to Rewrite Server HTTP Response Codes to Redirect Clients to a Different Page

Redirecting the Client Requests to a Custom Page when the Backend Server returns the 404 Response Code

To redirect the client requests to a custom page when the backend server returns the 404 response code, complete the following procedure:

  • Connect to the NetScaler appliance by using an SSH utility, such as PuTTY.
  • From the command line interface of the appliance, run the following command to create a rewrite action:
    add rewrite action sample_rewrite_action replace_http_res “”HTTP/1.1 302 Temporary RedirectnLocation: http://<Custom_Error_Page_Link> nn””
      • Run the following command to create a rewrite policy:
        add rewrite policy sample_rewrite_policy ‘HTTP.RES.STATUS.EQ(404)’ sample_rewrite_action
          • Run the following command to bind the policy globally:
            bind rewrite global sample_rewrite_policy 1

            OR:
            Bind this directly to a Vserver instead of globally like this:

            bind lb vserver LB_VServer_Name -policyName sample_rewrite_policy -priority 100 -type RESPONSE

              Note: In the preceding commands, the 302 Temporarily Redirect response code is used to redirect the client request to the customized page when the server returns a 404.

              Note: Ensure that you have enabled the HTTP Rewrite feature of the NetScaler appliance.

Related:

“Q11827 HTTP Security Header Not Detected” on NetScaler Management IP Using Qualys Scan

Note:

1. This is a generic template that is applicable across various NS Versions, some of these may not be needed on later versions, for version specific config, please review fiddler / dev-tool output while accessing NetScaler Management IP and apply the config in part two for the missing headers only.

2. Take System backup before making any changes

3. Check GUI Access, API Based monitoring tools functionality (NMAS, Command Center, any other) with NetScaler thoroughly after making these changes


Part 1: Execute following command on Shell prompt to enable rewrite feature on Management IP, and to make the changes persistent across reboot (On both Primary and Secondary)

nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0

cd /nsconfig

echo nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0 >> rc.netscaler

cat rc.netscaler | grep skip_systemaccess


Part 2: Exit from Shell and execute the following commands on > prompt (On primary only, these commands with sync on secondary)

Enable ns feature rewrite

add policy expression is_management_ip client.ip.dst.eq(SYS.NSIP)

add rewrite action insert_x-xss-protection_act insert_http_header X-XSS-Protection “”1; mode=block””

add rewrite action insert_x-content-type-options_act insert_http_header X-Content-Type-Options “”nosniff””

add rewrite action insert_x-frame-options_act insert_http_header X-Frame-Options “”SAMEORIGIN””

add rewrite action insert_x-hsts-header_act insert_http_header Strict-Transport-Security “”max-age=157680000; includeSubDomains””

add rewrite action insert_CSP_act insert_http_header Content-Security-Policy “”frame-ancestors ‘self'””

add rewrite policy insert_x-xss-protection_pol “is_management_ip && http.RES.HEADER(“X-XSS-Protection”).EXISTS.NOT” insert_x-xss-protection_act

add rewrite policy insert_x-content-type-options_pol “is_management_ip && http.RES.HEADER(“X-Content-Type-Options”).EXISTS.NOT” insert_x-content-type-options_act

add rewrite policy insert_x-frame-options_pol “is_management_ip && http.RES.HEADER(“X-Frame-Options”).EXISTS.NOT” insert_x-frame-options_act

add rewrite policy insert_x-hsts-header_pol “is_management_ip && http.RES.HEADER(“Strict-Transport-Security”).EXISTS.NOT” insert_x-hsts-header_act

add rewrite policy insert_CSP_pol “is_management_ip && http.RES.HEADER(“Content-Security-Policy”).EXISTS.NOT” insert_CSP_act

#Note: The priority Nos below may have to be edited to not conflict with existing globally bound policies

bind rewrite global insert_x-xss-protection_pol 2 next -type RES_DEFAULT

bind rewrite global insert_x-content-type-options_pol 3 next -type RES_DEFAULT

bind rewrite global insert_x-frame-options_pol 4 next -type RES_DEFAULT

bind rewrite global insert_CSP_pol 5 next -type RES_DEFAULT

bind rewrite global insert_x-hsts-header_pol 6 next -type RES_DEFAULT

Related:

HTTP Headers on NetScaler Management IP for Qualys Scan QID 11827

Note:

1. This is a generic template that is applicable across various NS Versions, some of these may not be needed on later versions, for version specific config, please review fiddler / dev-tool output while accessing NetScaler Management IP and apply the config in part two for the missing headers only.

2. Take System backup before making any changes

3. Check GUI Access, API Based monitoring tools functionality (NMAS, Command Center, any other) with NetScaler thoroughly after making these changes


Part 1: Execute following command on Shell prompt to enable rewrite feature on Management IP, and to make the changes persistent across reboot (On both Primary and Secondary)

nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0

cd /nsconfig

echo nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0 >> rc.netscaler

cat rc.netscaler | grep skip_systemaccess


Part 2: Exit from Shell and execute the following commands on > prompt (On primary only, these commands with sync on secondary)

Enable ns feature rewrite

add policy expression is_management_ip client.ip.dst.eq(SYS.NSIP)

add rewrite action insert_x-xss-protection_act insert_http_header X-XSS-Protection “”1; mode=block””

add rewrite action insert_x-content-type-options_act insert_http_header X-Content-Type-Options “”nosniff””

add rewrite action insert_x-frame-options_act insert_http_header X-Frame-Options “”SAMEORIGIN””

add rewrite action insert_x-hsts-header_act insert_http_header Strict-Transport-Security “”max-age=157680000; includeSubDomains””

add rewrite action insert_CSP_act insert_http_header Content-Security-Policy “”frame-ancestors ‘self'””

add rewrite policy insert_x-xss-protection_pol “is_management_ip && http.RES.HEADER(“X-XSS-Protection”).EXISTS.NOT” insert_x-xss-protection_act

add rewrite policy insert_x-content-type-options_pol “is_management_ip && http.RES.HEADER(“X-Content-Type-Options”).EXISTS.NOT” insert_x-content-type-options_act

add rewrite policy insert_x-frame-options_pol “is_management_ip && http.RES.HEADER(“X-Frame-Options”).EXISTS.NOT” insert_x-frame-options_act

add rewrite policy insert_x-hsts-header_pol “is_management_ip && http.RES.HEADER(“Strict-Transport-Security”).EXISTS.NOT” insert_x-hsts-header_act

add rewrite policy insert_CSP_pol “is_management_ip && http.RES.HEADER(“Content-Security-Policy”).EXISTS.NOT” insert_CSP_act

#Note: The priority Nos below may have to be edited to not conflict with existing globally bound policies

bind rewrite global insert_x-xss-protection_pol 2 next -type RES_DEFAULT

bind rewrite global insert_x-content-type-options_pol 3 next -type RES_DEFAULT

bind rewrite global insert_x-frame-options_pol 4 next -type RES_DEFAULT

bind rewrite global insert_CSP_pol 5 next -type RES_DEFAULT

bind rewrite global insert_x-hsts-header_pol 6 next -type RES_DEFAULT

Related:

How to Force Secure and HttpOnly Cookie Options for Websites Using NetScaler Appliance

Important! You cannot use the HttpOnly option when a web application requires access to Cookie contents by using a client side script such as JavaScript or a client-side Java Applet. From the method mentioned in this article only server generated cookies can be rewritten, not the cookies generated by NetScaler Appliance (for ex: AppFirewall, persistence, VPN session cookies and so on)

Also note that this procedure is not applicable to VPN Vservers.

To configure the NetScaler appliance to force the Secure and HttpOnly flags for an existing HTTP virtual server, complete the following steps:

Using NetScaler GUI

  1. Go to Rewrite > Actions, and then click add to add a new rewrite action.

    User-added image

  2. Go to Rewrite > Policies and then click add to adda new Rewrite policy.

    User-added image

  3. Go to Load Balancing > Virtual Servers and then bind the Rewrite (Response) policy to the corresponding SSL VServer.

    User-added image

Using NetScaler CLI

  1. Create a rewrite action (this example is configured to set both Secure and HttpOnly flags. If either one is missing, modify it as necessary for other combinations).

    add rewrite action act_cookie_Secure replace_all http.RES.full_Header “”path=/; Secure; HttpOnly”” -search “regex(re!(path=/\; Secure; HttpOnly)|(path=/\; Secure)|(path=/\; HttpOnly)|(path=/)!)” -bypassSafetyCheck YES

  2. Create a rewrite policy to trigger the action.

    add rewrite policy rw_force_secure_cookie “http.RES.HEADER(“Set-Cookie”).EXISTS” act_cookie_Secure

  3. Bind the rewrite policy to the VServer to be secured (if Secure option is used, an SSL VServer should be used).

    bind lb vserver mySSLVServer -policyName rw_force_secure_cookie -priority 100 -gotoPriorityExpression NEXT -type RESPONSE

Related:

How to have a random Background Image on NetScaler Gateway Page

1) Create a folder at and deposit your contents – label them desktop_0x.jpg:

2) Create a portal theme based on X1 and edit the background image to desktop_01.jpg (select image, upload it):

User-added image


3) Bind the portal theme to NSG.

4) Then create the following policies (note this commands are for the CLI as they escape special chars):

>add rewrite action rewrite_image_background replace HTTP.REQ.URL.PATH_AND_QUERY “”/logon/themes/custom_media_test/desktop_0″+ sys.RANDOM.MUL(7).ADD(1).TYPECAST_NUM_AT+”.jpg””

>add rewrite policy rewrite_background_request “http.REQ.URL.CONTAINS(“desktop_01.jpg”) ” rewrite_image_background

Policy:

User-added image

Action:

User-added image

5) Bind the rewrite policy to the NetScaler Gateway.

User-added image

6) Go to the NetScaler Gateway URL and refresh the page. You should be getting a random image every time you refresh.

Related:

How URL rewriting works in DataPower to be specific what is the effect of “URL Rewrite Direction”

What is the effect of assigning “Response” to “URL Rewrite Direction” to a URL rewrite policy?

Can we use URL rewrite policy to rewrite Backend URL?

Does it only rewrite statically defined “Default Backend URL” or has capability to dynamically defined “Backend URL”?

According to the documentation https://www.ibm.com/support/knowledgecenter/en/SS9H2Y_7.5.0/com.ibm.dp.doc/urlrewritepolicy.html, URL rewriting policy is invoked before processing which implies we will not be able to rewrite dynamically defined “Backend URL”. Is this true?

If we can’t use URL Rewrite policy to rewrite the backend URL what is the purpose of having “Response” value as an option for “URL Rewrite Direction”? If you could share use cases it will be helpful.

Related:

  • No Related Posts

Re-evaluate after rewrite

I need a solution

I have an action to rewrite a URL, removing the path portion of the request:

<Proxy "fc rewrites"> client.address=fcServer

client.protocol=https action.fcRewrite(yes)

define action fcRewrite
rewrite (url, "^https://(.+?)/.+$", "https://$(1)")
end action fcRewrite

On policy trace, it appears the original URL is evaluated by policy and appropriate action taken – only the rewritten URL is sent to the OCS. I need the re-written URL to be re-evaluated by policy, is this even possible?

Thanks all!

0

Related: