You have used NetScaler Rewrite feature many times to change bits and pieces of information as it flows through NetScaler either ways. Have you thought if same Rewrite feature can be used to change the whole request including its HTTP method and body? Hmmm… looks interesting 🙂

Many recent security publications and reports have recommended using HTTP body over HTTP query for transmitting sensitive information. Most of the legacy applications are written with the logic of sending sensitive username and password tokens using HTTP GET request utilizing the query part. Here is a sample request:

GET /login.asp?user=xyz&pass=*^#JD12  HTTP/1.1

Accept: */*

Host: www.myapp.com

User-Agent: Mozilla/4.0

Now what if you are asked to accept this request from client on NetScaler and convert this in a POST request where the query portion becomes part of the POST body and goes to the server side. Quite a bit of challenge, isn’t it??? Not really, this is the beauty of AppExpert framework and Rewrite feature on NetScaler where such complex requirements can be handled quite efficiently. Let us break up the problem in logical parts:

1)      Change request method from GET to POST

This is the first operation to convert the request method itself. Following action will take care of it.

add rewrite action replace-method replace HTTP.REQ.METHOD “\”POST\””

2)      Insert query content in HTTP body

This is the core requirement where the query parameter needs to be transmitted as part of HTTP body in the POST request. Following action inserts URL query parameter after all the HTTP headers in the request.

add rewrite action insert-into-body insert_after HTTP.REQ.FULL_HEADER HTTP.REQ.URL.QUERY.HTTP_URL_SAFE -bypassSafetyCheck YES

3)      Insert Content-Length header

Once we convert the GET request to POST and insert the query into the request Body, most important operation is to insert correct Content-Length header. Without this header server will not accept the body and request will be treated as invalid. Also this header is extremely important to have correct value otherwise the request will again be treated as invalid.

add rewrite action insert-cl insert_http_header Content-Length HTTP.REQ.URL.QUERY.LENGTH

The above action generically inserts the Content-Length header in a way which will work for any dynamic length query.

4)      Insert Content-Type header

It is recommended to have appropriate Content-Type header inserted as well.

add rewrite action insert-ct insert_http_header Content-Type “\”application/x-www-form-urlencoded\””

5)      Remove query from request URL

Now the most important operation is to remove the query content from URL. Following action replaces the original URL with new URL without the query piece.

add rewrite action remove-query replace HTTP.REQ.URL.PATH_AND_QUERY HTTP.REQ.URL.PATH.HTTP_URL_SAFE -bypassSafetyCheck YES

With these 5 logical steps you can change the given GET request to look like following POST request on backend.

POST /login.asp  HTTP/1.1

Accept: */*

Host: www.myapp.com

User-Agent: Mozilla/4.0

Content-Length: 24

Content-Type: application/x-www-form-urlencoded

 

user=xyz&pass=*^#JD12

 

The easiest way to run all these actions is to have simple policies and group them under a policylabel which is invoked once and whole flow is done. Here is the sample policy and policylabel config:

add rewrite policy is_get_with_query “HTTP.REQ.URL.QUERY.LENGTH.GT(0) && HTTP.REQ.METHOD.EQ(GET)” NOREWRITE

add rewrite policy pol1 true replace-method

add rewrite policy pol2 true insert-into-body

add rewrite policy pol3 true insert-cl

add rewrite policy pol4 true insert-ct

add rewrite policy pol5 true remove-query

add rewrite policylabel get_to_post_group http_req

bind rewrite policylabel get_to_post_group pol1 1 NEXT

bind rewrite policylabel get_to_post_group pol2 2 NEXT

bind rewrite policylabel get_to_post_group pol3 3 NEXT

bind rewrite policylabel get_to_post_group pol4 4 NEXT

bind rewrite policylabel get_to_post_group pol5 5 END

bind rewrite global is_get_with_query 100 END -type REQ_DEFAULT -invoke policylabel get_to_post_group

With the above config the whole operation will be done in single flow. You must be wondering what other cool stuff can be done with this set of features…. Keep thinking 🙂