Use Case: Filtering clients by using an IP blacklist
HTTP callouts can be used to block requests from clients that are blacklisted by the administrator. The list of clients can be a publicly known blacklist, a blacklist that you maintain for you organization, or a combination of both.
The Citrix ADC appliance checks the IP address of the client against the pre-configured blacklist and blocks the transaction if the IP address has been blacklisted. If the IP address is not in the list, the appliance processes the transaction.
To implement this configuration, you must perform the following tasks:
- Enable responder on the Citrix ADC appliance.
- Create an HTTP callout on the Citrix ADC appliance and configure it with details about the external server and other required parameters.
- Configure a responder policy to analyze the response to the HTTP callout, and then bind the policy globally.
- Create an HTTP callout agent on the remote server.
Enabling responder
You must enable responder before you can use it.
To enable responder by using the GUI
- Make sure that you have installed the responder license.
- In the configuration utility, expand AppExpert, and right-clickResponder, and then clickEnable Responderfeature.
Creating an HTTP callout on the Citrix ADC appliance
Create an HTTP callout, HTTP_Callout, with the parameter settings shown in the following table. For more information about creating an HTTP callout, seeConfiguring an HTTP Calloutpdf.
Configuring a responder policy and binding it globally
After you configure the HTTP callout, verify the callout configuration, and then configure a responder policy to invoke the callout. While you can create a responder policy in the Policies sub-node and then bind it globally by using the Responder Policy Manager, this demonstration uses the Responder Policy Manager to create the responder policy and bind the policy globally.
To create a responder policy and bind it globally by usin
- Navigate toAppExpert>Responder.
- In the details pane, underPolicy Manager, clickPolicy Manager.
- In theResponder Policy Managerdialog box, clickOverride Global.
- ClickInsert Policy, and then, underPolicy Name, clickNew Policy.
In theCreate Responder Policydialog box, do the following:
- In Name, typePolicyResponder1.
- InAction, selectRESET.
- InUndefined-Result Action, selectGlobal undefined-resultaction.
InExpression, type the following default syntax expression:
"HTTP.REQ.HEADER("Request").EQ("Callout Request").NOT && SYS.HTTP_CALLOUT(HTTP_Callout).CONTAINS("IP Matched")"- ClickCreate, and then clickClose.
- ClickApply Changes, and then clickClose.
Creating an HTTP callout agent on the remote server
现在您必须创建一个HTTP callout剂remote callout server that will receive callout requests from the Citrix ADC appliance and respond appropriately. The HTTP callout agent is a script that is different for each deployment and must be written with the server specifications in mind, such as the type of database and the scripting language supported.
Following is a sample callout agent that verifies whether the given IP address is part of an IP blacklist. The agent has been written in the Perl scripting language and uses a MYSQL database.
The following CGI script checks for a given IP address on the callout server.
#!/usr/bin/perl -w print "Content-type: text/html\n\n"; use DBI(); use CGI qw(:standard); #Take the Client IP address from the request query my $ip_to_check = param('cip'); # Where a MYSQL database is running my $dsn = 'DBI:mysql:BAD_CLIENT:localhost'; # Database username to connect with my $db_user_name = ‘dbuser’; # Database password to connect with my $db_password = 'dbpassword'; my ($id, $password); # Connecting to the database my $dbh = DBI->connect($dsn, $db_user_name, $db_password); my $sth = $dbh->prepare(qq{ select * from bad_clnt }); $sth->execute(); while (my ($ip_in_database) = $sth->fetchrow_array()) { chomp($ip_in_database); # Check for IP match if ($ip_in_database eq $ip_to_check) { print "\n IP Matched\n"; $sth->finish(); exit; } } print "\n IP Failed\n"; $sth->finish(); exit;