HTTP Request Policy

Overview

HTTP request policies allow manipulation of HTTP requests. These requests may be modified before they are forwarded to the server, used as a basis for content switching, or discarded. The HTTP request policies may only be applied to a layer 7 virtual service configured with an HTTP profile. The table below lists the match criteria available under HTTP request, as well as the actions that can be configured to occur upon a match being made.

Note: This feature is supported for IPv6 in NSX Advanced Load Balancer.

Match Client IP: Client IP address or a group of client addresses.
  • Use a "-" to specify a range: 10.0.0.0-10.1.255.255
  • Use a "/" to specify a netmask: 10.0.0.0/24
  • Use a pre-defined IP group, which can be based on geo-location.
  • Note: Client IP address in IPv6 address format can also be used in NSX Advanced Load Balancer version 18.1.2.
Service Port: The ports the virtual service is listening on.
Protocol Type: HTTP or HTTPS.
Example: https://www.avinetworks.com/marketing/index.html?a=1&b=2
HTTP Method: The method used by the client request. The match is true if any one of the methods that an administrator specifies is true.
The options available are GET, HEAD, POST, PUT, DELETE, OPTIONS, TRACE, and CONNECT. Starting with NSX Advanced Load Balancer version 18.2.3, you can also choose from the additional options: PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK.
HTTP Version: True if the client version is .9, 1.0, or 1.1
Path: The path or a group of paths. In accordance with RFC 3986, a path is empty or starts with a forward slash. For the beginswith and equals match operators in an HTTP request match policy, the match string needs to begin with a forward slash to result in a match.
Example:
In https://www.avinetworks.com/marketing/index.html?a=1&b=2
the path is /marketing/index.html.
Query: A query or a group of queries. Do not add the leading ‘?’ or ‘&’ characters to a match.
Example: https://www.avinetworks.com/marketing/index.html?a=1&b=2
Headers: True if a header exists, or if it exists and contains a specified value
Cookie: True if a cookie exists, or if it exists and contains a specified value
Host Header: The request’s host header.
Example: https://www.avinetworks.com/marketing/index.html?a=1&b=2
Action Redirect URL: Redirects a client to a different protocol, port, host, or path. By default the host, path, and query are not altered unless an administrator populates those fields. The path field does not require a leading “/” slash character. To create a simple HTTP to HTTPS redirect, simply set the protocol to HTTPS. NOTE: The redirect action may not be stacked with other actions.
Modify Header: Allows adding, replacing, or removing of an HTTP header or cookie.
Note: Starting with NSX Advanced Load Balancer version 22.1.1, Is Sensitive field is added within the ‘Modify header’ action to mask any custom value that is sensitive.
Rewrite URL: Similar to ProxyPass functionality, this action allows for the client’s requested URL to be rewritten into a URL that the server understands. For instance, the client should usewww.avinetworks.com/sales, while the server may be configured for sales.avinetworks.com. The path field does not require a leading "/" slash character.
Content Switch: Forward matched requests to a pool, or a specific server with that pool. Alternatively, NSX Advanced Load Balancer can serve an HTTP response using HTTP status code 200 (success), 403 (unauthorized), 404 (file not found), or 429 (too many requests). A default page is sent for each of these status codes, or a custom html file may uploaded.
Note: Starting with NSX Advanced Load Balancer version 21.1.3, you can upload any type of file as a local response. It is recommended to configure a local file using the UI. To update the local file using API, encode the base64 file out of band and use the encoded format in the API.

Is Sensitive

Option to mask the custom values in ‘Modify Header’

Starting from NSX Advanced Load Balancer version 22.1.1, Is Sensitive field is added within Modify Header action to add any custom value which is sensitive.

The sensitive field (Is Sensitive) is a flag in HTTP header value which determines if the custom value has to be marked sensitive or not. If you check Is Sensitive field, then the custom value in Modify header option in action for HTTP Policy Set will be masked. An example is shown in the screenshot below:

is_sensitive

Note: The Is Sensitive is an immutable field, it can only be set or unset during creation of the HTTP policy.

As the header values are masked, updating an existing header can be difficult for the admins. To simplify this, NSX Advanced Load Balancer assigns an index, that is, an integer value to identify all the headers uniquely as shown in the screenshot above. This helps to remove the ambiguity. The index is auto assigned by NSX Advanced Load Balancer. If there is any requirement to change the index, it can be done using CLI or API and you need to ensure that the index should be a unique value.

The CLI for setting sensitive field for custom values in HTTP Policies is as follows:


+------------------------+----------------------------------------------------+
| Field                  | Value                                              |
+------------------------+----------------------------------------------------+
| uuid                   | httppolicyset-14be5dde-8ff2-4891-a930-a81b6f547d9b |
| name                   | test-HTTPPolicySet-0                               |
| http_request_policy    |                                                    |
|   rules[1]             |                                                    |
|     name               | Rule 1                                             |
|     index              | 1                                                  |
|     enable             | True                                               |
|     match              |                                                    |
|       vs_port          |                                                    |
|         match_criteria | IS_IN                                              |
|         ports[1]       | 80                                                 |
|     hdr_action[1]      |                                                    |
|       action           | HTTP_ADD_HDR                                       |
|       hdr              |                                                    |
|         name           | pqr                                                |
|         value          |                                                    |
|           val          | <sensitive>                                        |
|           is_sensitive | True                                               |
|       hdr_index        | 1                                                  |
| is_internal_policy     | False                                              |
| tenant_ref             | admin                                              |
+------------------------+----------------------------------------------------+

Document Revision History

Date Change Summary
July 15, 2022 Added Is Sensitive section for 22.1.1