Prioritizing Policies

Policies can be used to recreate similar functionality found elsewhere within the Avi Load Balancer. For instance, a policy can be configured to generate an HTTP redirect from HTTP to HTTPS. The same functionality can be configured within the Secure-HTTP application profile. Since a policy is more specific than a general purpose profile, the policy takes precedence.

If the profile is set to redirect HTTP to HTTPS through port 443, and the policy is set to redirect HTTP to HTTPS on port 8443, the client will be sent to port 8443. (See Execution Priority in the VMware NSX Advanced Load Balancer DataScript Guide for more information.)

A virtual service can have multiple policies defined, one for each of the four types. Once defined, policies for the four types are implemented in the following order of priority:

1. Network security policy.

2. HTTP Security Policy.

3. HTTP request policy.

4. HTTP response policy.

5. DataScripts policy.

6. Access policy.

For instance, a network policy that is set to discard traffic takes precedence over an HTTP request policy set to modify a header. Since the connection is discarded, the HTTP request policy will not execute. Each policy type can contain multiple rules, which in turn can be prioritized to process in a specified order. This is done by moving the policies up or down in the ordered list within the Avi Load Balancer UI.

Match - Action

All policies are made up of match and action rules, which are similar in concept to if - then logic. Administrators set match criteria for all connections, requests, or response to the virtual service. The Avi Load Balancer executes the configured actions for all traffic that meets the match criteria.

A single match with multiple entries is treated as “or” operation. For instance, if a single match type has the criteria “marketing”, “sales”, and “engineering” set, then the match is true if the path contains “marketing”, or “sales”, or “engineering”.

If a rule has multiple matches configured, all match types must be true for the action to be executed. In the above screenshot, both the path and HTTP method matches must be true. Within each of these two match types, only one of the entries must be true for that match type to be true. For HTTP method, a client request must be of type GET or HEAD. Multiple rules can be configured for each policy and they can be configured to occur in a specific order. If no match is applied, the condition is automatically met and the actions will be executed for each connection as per the policy type.

Matches against HTTP content are case-insensitive. This is true for header names and values, cookies, host names, paths, and queries. For HTTP policies, the Avi Load Balancer compares Uniform Resource Identifier (URI) matches against the decoded HTTP URI. Many browsers and web servers encode human-readable format content differently. For instance, a browser’s URI encoding might translate the dollar character “$” to “%24”. The Service Engine (SE) translates the “%24” back to “$” before evaluating it against the match criteria.

Create a Policy

The virtual service editor defines policies consisting of one or more rules that control the flow of requests through the virtual service.

The following are the steps to create a policy:

1. Policy Type: First select the policy type to add by selecting one of the following categories:

   1. HTTP Security: HTTP security policies perform defined actions such as allow/deny, redirect to HTTPS, or respond with a static page.

   2. Network Security: It is configured to explicitly allow or block traffic of user-defined types in the network.

   3. HTTP Request: HTTP request policies allow manipulation of HTTP requests, content switching and also allow customized actions based on client HTTP requests.

   4. HTTP Response: HTTP response policies evaluate responses from the server, and can be used to modify the server’s response headers. HTTP response policies are most often used with HTTP request policies to provide an Apache Mod_ProxyPass capability for rewriting a website’s name between the client and the server.

   5. DataScripts: DataScripts execute when various events are triggered by data plane traffic.

   6. Access: Access policy can be provided for SAML.

      
      
      

2. Create Rule: Create a new rule by clicking the 'plus' icon and specify the following information for the new rule:

   1. Enable or Disable: By default, the new rule is enabled. The green slider icon can be toggled to change to gray, to deactivate the rule and make it have no effect on the traffic.

   2. Rule Name: Specify a unique name for the rule in the Rule Name field, or leave the default system generated name in place.

   3. Logging: Select Logging if you want logging enabled for this rule. When enabled, a log is generated for any connection or request that matches the rule’s match criteria. If a virtual service is already set to log all connections or requests, this option will not create a duplicate log. Client logs are flagged with an entry for the policy type and rule name that matched. When viewing the policy’s logs within the logs tab of the virtual service, the logs will be part of the significant logs option unless the specific connection or request is a non-error traffic, in which case it can be displayed under the default non-significant logs filter.

   4. Match: Add one or more matches using the Add New Match drop-down menu. The match options vary depending on the context defined by the policy type to be created. If a rule is not given a match, all connections or requests are considered true or matched.

   5. Action: Add one or more actions from the dropdown menu to be taken when the matches are true. The available options vary depending on the type of rule to be created.

   6. Save Rule: Click the Save Rule button to save the new rule.

      
      
      

3. Ordering: Rules are enforced in the order in which they appear in the list. For instance, if you add a rule to close a connection based on a client IP address, followed by a rule that redirects an HTTP request from that IP address to a secure HTTP (HTTPS) connection, the Avi Load Balancer closes the connection without forwarding the request. Alter the order in which rules are applied by clicking the up and down arrow icons until the rules are in the desired order.

Network Security

The following table lists both the available network security match criteria and the configurable actions that can occur when a match is made.

HTTP Security Policy

The following table lists both the available HTTP security match criteria and the configurable actions that can occur when a match is made.

TLS Fingerprint Support for HTTP Security Policies

Avi Load Balancer supports configuration of HTTP security policies to block bad requests from a client/source having a specific TLS fingerprint (different from that of common browsers).

The configuration workflow consists of the following steps:

• Finding TLS fingerprints associated with bad requests

• Configuring HTTP security policy with tls_fingerprint_match

• Associating Virtual Services with the specific HTTP security policy

Usually a client’s TLS fingerprint is not part of application log for a virtual servcie. To log TLS fingerprint in full detail, edit the specific application profle and enable Collect Client TLS Fingerprint as shown below.

Once the Collect Client TLS Fingerprint option is enabled, virtual service starts logging TLS Fingerprint under the SSL log section as shown below.

To enable Collect Client TLS Fingerprint logging using Avi Load Balancer CLI, follow the below steps:

[admin:ctrl-blr]: > configure applicationprofile applicationprofile-bot
[admin:ctrl-blr]: applicationprofile> http_profile
[admin:ctrl-blr]: applicationprofile:http_profile> collect_client_tls_fingerprint
# ... output from CLI skipped
[admin:ctrl-blr]: applicationprofile:http_profile> save
# ... output from CLI skipped
[admin:ctrl-blr]: applicationprofile> save

The TLS fingerprint from these logs is used in a HTTP security policy to achieve the desired result (HTTP action).

Follow the steps mentioned below to configure a HTTP policy to send a 403 response if a request comes with 9876543210fedcba9876543210fedcba fingerprint.

[admin:10-79-111-137]: > configure httppolicyset tls-fp-policy
[admin:10-79-111-137]: httppolicyset> http_security_policy
[admin:10-79-111-137]: httppolicyset:http_security_policy> rules
New object being created
[admin:10-79-111-137]: httppolicyset:http_security_policy:rules> action
[admin:10-79-111-137]: httppolicyset:http_security_policy:rules:action> action http_security_action_send_response
[admin:10-79-111-137]: httppolicyset:http_security_policy:rules:action> status_code http_local_response_status_code_403
[admin:10-79-111-137]: httppolicyset:http_security_policy:rules:action> file
[admin:10-79-111-137]: httppolicyset:http_security_policy:rules:action:file> file_content "<html>Bad IP</html>"
[admin:10-79-111-137]: httppolicyset:http_security_policy:rules:action:file> content_type "text/html"
[admin:10-79-111-137]: httppolicyset:http_security_policy:rules:action:file> save
[admin:10-79-111-137]: httppolicyset:http_security_policy:rules:action> save
[admin:10-79-111-137]: httppolicyset:http_security_policy:rules> name "rule-fingerprint-1"
[admin:10-79-111-137]: httppolicyset:http_security_policy:rules> match
[admin:10-79-111-137]: httppolicyset:http_security_policy:rules:match> tls_fingerprint_match
[admin:10-79-111-137]: httppolicyset:http_security_policy:rules:match:tls_fingerprint_match> match_operation is_in
[admin:10-79-111-137]: httppolicyset:http_security_policy:rules:match:tls_fingerprint_match> fingerprints 9876543210fedcba9876543210fedcba    <--  Add the fingerprint here
[admin:10-79-111-137]: httppolicyset:http_security_policy:rules:match:tls_fingerprint_match> save
[admin:10-79-111-137]: httppolicyset:http_security_policy:rules:match> save
[admin:10-79-111-137]: httppolicyset:http_security_policy:rules> save
[admin:10-79-111-137]: httppolicyset:http_security_policy> save
[admin:10-79-111-137]: httppolicyset> save

Associate the HTTP policy created in the previous step with the desired virtual service.

[admin:10-79-111-137]: > configure virtualservice vs-bot
[admin:10-79-111-137]: virtualservice> http_policies http_policy_set_ref tls-fp-policy
New object being created
[admin:10-79-111-137]: virtualservice:http_policies> save
[admin:10-79-111-137]: virtualservice> save

HTTP Request

HTTP request policies allow manipulation of HTTP requests. These requests can be modified before they are forwarded to the server, used as a basis for content switching, or discarded. The HTTP request policies can only be applied to a layer 7 virtual service configured with an HTTP profile. The following table lists the match criteria available under HTTP request, and the actions that can be configured to occur when a match is made.

HTTP Request Policy

[admin:1234]: > configure httppolicyset virtualservice-1-HTTPPolicySet-0

Updating an existing object. Currently, the object is:
+--------------------+-----------------------------+
| Field              | Value                       |
+--------------------+-----------------------------+
| uuid               | httppolicyset-a3ad878c-84c6-|
| name               | virtualservice-1-0          |
|                    |HTTPPolicySet-               |
| is_internal_policy | False                       |
| tenant_ref         | admin                       |
+--------------------+-----------------------------+
[admin:1234]: httppolicyset> http_request_policy
[admin:1234]: httppolicyset:http_request_policy> rules
New object being created
[admin:1234]: httppolicyset:http_request_policy:rules> name rule-vs-1
[admin:1234]: httppolicyset:http_request_policy:rules> switching_action
[admin:1234]: httppolicyset:http_request_policy:rules:switching_action> action HTTP_SWITCHING_SELECT_LOCAL
[admin:1234]: httppolicyset:http_request_policy:rules:switching_action> other_status_code 240
[admin:1234]: httppolicyset:http_request_policy:rules:switching_action> save
[admin:1234]: httppolicyset:http_request_policy:rules> save
[admin:1234]: httppolicyset:http_request_policy> save
[admin:1234]: httppolicyset> save

+-------------------------+--------------------------+
| Field                   | Value                    |
+-------------------------+--------------------------+
| uuid                    | httppolicyset-a3ad878c-  |
| name                    | virtualservice-1-0       |
|                         |HTTPPolicySet-            |
| http_request_policy     |                          |
|   rules[1]              |                          |
|     name                | rule-vs-1                |
|     index               | 1                        |
|     enable              | True                     |
|     switching_action    |                          |
|       action            |TP_SWITCHING_SELECT_LOCAL | |other_status_code        | 240                      |  | is_internal_policy      | False                    |  | tenant_ref              | admin                    | 
+-------------------------+--------------------------+
[admin:1234]: >

Why is a virtual service always up when a redirect policy is attached to it?

A virtual service on Avi Vantage remains always up when a redirect policy is attached to it. This is an expected behaviour and this behaviour is by design. A virtual service is kept alive if one of the following conditions is met:

• At least one of the pools associated to the virtual service is up.

• A policy (for example, a redirect policy) associated with the virtual service that does not need a pool.

• A DataScript attached to the policy.

• The virtual service is associated to a policy that sends a local response.

Is Sensitive

Is Sensitive option is used to mask the custom values in ‘Modify Header’. The Is Sensitive field is added within Modify Header action to add any custom value which is sensitive.

The sensitive field (Is Sensitive) is a flag in HTTP header value which determines if the custom value has to be marked sensitive or not. If you check Is Sensitive field, then the custom value in Modify header option in action for HTTP Policy Set will be masked. An example is shown in the screenshot below:

As the header values are masked, updating an existing header can be difficult for the admins. To simplify this, Avi Load Balancer assigns an index, that is, an integer value to identify all the headers uniquely as shown in the screenshot above. This helps to remove the ambiguity. The index is auto assigned by Avi Load Balancer. If there is any requirement to change the index, it can be done using CLI or API and you need to ensure that the index should be a unique value.

The CLI for setting sensitive field for custom values in HTTP Policies is as follows:

+------------------------+----------------------------------------------------+
| Field                  | Value                                              |
+------------------------+----------------------------------------------------+
| uuid                   | httppolicyset-14be5dde-8ff2-4891-a930-a81b6f547d9b |
| name                   | test-HTTPPolicySet-0                               |
| http_request_policy    |                                                    |
|   rules[1]             |                                                    |
|     name               | Rule 1                                             |
|     index              | 1                                                  |
|     enable             | True                                               |
|     match              |                                                    |
|       vs_port          |                                                    |
|         match_criteria | IS_IN                                              |
|         ports[1]       | 80                                                 |
|     hdr_action[1]      |                                                    |
|       action           | HTTP_ADD_HDR                                       |
|       hdr              |                                                    |
|         name           | pqr                                                |
|         value          |                                                    |
|           val          | <sensitive>                                        |
|           is_sensitive | True                                               |
|       hdr_index        | 1                                                  |
| is_internal_policy     | False                                              |
| tenant_ref             | admin                                              |
+------------------------+----------------------------------------------------+

HTTP Policy QueryMatch

In HTTP policies, one of the parameters that can match against is the query string in the URI. QueryMatch is similar to other match targets in the following ways:

• It is used to match the query string against a list of custom strings or string groups.

• It is used to copy the query string into the action rules (Redirect or Rewrite URL actions) using the Keep Query knob.

Addition of Match Criteria

The following are the match operations supported for Query match:

Matching Encoded Strings

Avi Load Balancer supports Match Decoded String option for the Query_Match is supported (as earlier supported for path match). This option allows user to specify whether to match against an encoded (UTF-8) or decoded query string. By default, the option is selected.

Example 1:

If Match_decoded is unmarked and URI /hello/test?efg=%21efg is sent, the rule will match. Whereas if URI /hello/test?efg=!efg is sent, the rule will not match.

Example 2:

If Match_decoded is marked for the strings hello/test?efg=!efg or hello/test?efg=%21efg, both will match because the string will be converted to hello/test?efg=!efg in both cases.

HTTP Request Queuing

HTTP request queuing allows the Avi Load Balancer to queue requests that are received after a backend server has reached its maximum allowed number of concurrent connections. Queuing HTTP requests provides time for new connections to become available on the server, without performing the configured pool down action.

HTTP request queuing is disabled by default. The feature can be enabled on a per pool basis. The default queue length is 128 requests, when the feature is enabled. The queue length is configurable, from 1 up to any required amount. The only limitation is that memory must be available on the SE.

How the Queue is Managed

Queued requests are managed on a last-in, first-out (LIFO) basis. For example, if the queue length is 128, the Avi Load Balancer can queue up to 128 requests for a saturated server. Only GET requests can be queued. PUT requests are not queued. While the server is unable to accept new requests, the Avi Load Balancer queues the new requests, up to the maximum number of requests the queue can hold, that is, the queue length. If the queue is full and the server is still unable to accept new requests, the queue is bypassed and the Avi Load Balancer begins applying the configured pool down action to new requests.

When the server is able to accept new requests again, priority is given to new requests. New requests have priority over the queued requests and are sent to the server first. Only when no new requests are available to send to the server, the SE sends requests from its queue, beginning with the most recent one, namely, the last one queued. Sending the most recently queued requests instead of the oldest requests from the queue helps minimize impact on end-users as some newer requests might be resends of older requests, or the client might have ended the unresponsive session. Sending a request to the queue because the server is full does not generate a failure event. If the queue is also full, then an event is generated.

Effect on Persistence

HTTP request queuing can be used along with persistence. If both features are enabled, and persistence requires a connection to remain on a particular server and that server is full, requests for that connection are queued until the required server has available connections for them. The requests are not sent to another server. Within the queue, the requests are still managed as described above, on a LIFO basis.

Effect on HTTP Caching

If HTTP caching is enabled and the Avi Load Balancer receives a request for an object that is in the cache, the Avi Load Balancer fulfills the request by sending the object from the cache, instead of requesting the object from the server. In this case, even if none of the servers has a free connection to receive the request, the request does not need to be queued.

Queue Size Recommendations

SEs must have enough memory to support the configured HTTP queue size.

For an average request size of 2 KB per request, setting the queue length to 128 requires 256 KB of memory. For higher queue sizes, the appropriate amount of memory must be allocated to the SE.

Effects of Changing the Queue Length

If the queue length is changed, the change goes into effect immediately.

• Increasing the queue length allows more requests to be queued while the server is saturated.

• If the queue length is decreased and the new size is smaller than the number of requests that are currently in the queue, the Avi Load Balancer immediately drops the extra requests from the queue, beginning with the oldest one (first queued). For example, if the queue length is 128 and the queue is full, reducing the queue length to 64 results in the immediate drop of the 64 oldest requests from the queue.

Configuring HTTP Request Queuing

To enable request queuing for a pool:

1. Navigate to Applications > Pools.

2. Click Create for creating a new pool or click the edit icon next to the pool name.

3. Go to the Advanced tab. If creating a new pool, enter a name, and click Next twice.

4. In the Pool Full Settings section, select Enabled next to Request Queuing.

5. To change the queue size, edit the number in the Queue Length field. There is no specific maximum length value. In this case, the amount of memory available on the SE for queuing presents the practical limit.

6. If you are configuring a new pool, finish configuring any other pool settings, and click Save.

HTTP Response Policy

HTTP response policies evaluate responses from the server, and can be used to modify the response headers of the server. These policies are generally used to rewrite redirects or in conjunction with HTTP request policies, to provide a client to server name-rewriting capability similar to Apache’s ProxyPass.

If the intent is to create a hostname mapping from internal to external, consider using the more straightforward Host Name Translation feature within the advanced section of a virtual service. During the HTTP response match, the match criteria that are based on client data are evaluated against the original client request. For example, if the client requested /fruit.htm, and a request policy modified the path to /cheese.htm, the response match rule for path would compare against the unmodified, original path sent from the client, namely /fruit.htm. The following table lists the match criteria available under HTTP response, and the actions that can be configured to occur when a match is made.

DataScripts

DataScripts are executed when various events are triggered by data plane traffic. A single rule can execute different code during different events.

See DataScript Events in VMware NSX Advanced Load Balancer DataScript Guide for more details.

Access

Access policy can be provided for SAML, JWT or LDAP access.

SAML

If you select SAML option, specify the following details:

• SSO Policy: Specify the SSO policy attached to the virtual service.

• Entity ID: Specify the SAML entity ID for this node.

• SSO URL: Specify the SAML single sign-on URL to be programmed on the IDP.

• Session Cookie Name: Specify the HTTP cookie name for the authenticated session.

• Session Cookie Timeout: Specify the cookie timeout in minutes.

• SSL Key: Select the SSL key from the drop-down menu.

JWT

If you select JWT option, specify the following details:

• SSO Policy: Select the SSO Policy attached to the virtual service.

• Audience: Specify the unique audience to identify a resource server.

• Token Location: Select the token location as Authorization Headeror URL Query.

LDAP

If you select LDAP option, specify the following details:

• SSO Policy: Specify the SSO policy attached to the virtual service.

• Basic Realm: When a request to authenticate is presented to a client, the basic realm indicates to the client which realm they are accessing.

• Connections Per Server: Specify the number of concurrent connections to LDAP server by a single basic auth LDAP process.

• Cache Size: Specify the size of LDAP basic auth credentials cache used on the dataplane.

• Bind Timeout: Specify LDAP basic auth default bind timeout enforced on connections to LDAP server.

• Request Timeout: Specify LDAP basic auth default login or group search request timeout enforced on connections to LDAP server.

• Connect Timeout: Specify LDAP basic auth default connection timeout enforced on connections to LDAP server.

• Reconnect Timeout: Specify LDAP basic auth default reconnect timeout enforced on connections to LDAP server.

• Servers Failover Only: Check this box to indicate that LDAP basic auth uses multiple LDAP servers in the event of a fail-over only.

After specifying all the necessary details, click Save button.

Policy Tokens

In more complex scenarios, an administrator can capture data from one location and apply it to another location. The Avi Load Balancer supports the use of variables and tokens, which can be used for this purpose.

Variables can be used to insert dynamic data into the modify header actions of HTTP request and HTTP response policies. Two variables namely, $client_ip and $vs_port are supported. For instance, a new header can be added to a HTTP request called origin_ip, with a value set to $client_ip, to insert the source address of the client as the value of the header.

Tokens can be used to find and reorder specific parts of the HTTP hostname or path. For instance, it is possible to rewrite the original request http://support.avinetworks.com/docs/index.htm to http://www.avinetworks.com/support/docs/index.htm. Tokens can be used for HTTP host and HTTP path. The tokens are derived from the original URL. Token delimiter in host header is “.” and in the URL path it is “/”.

Regex Matching in Policies

The Avi Load Balancer supports the use of regex captures as tokens that can be used in Policy actions. These regex captures are obtained from the regex pattern string that are matched with the URI in the match rule configured in the policy.

The following are the steps to configure regex matching and tokens:

• Create a string group object with the list of regex patterns you want to use for URI matching. Note the use of regex captures (the string pattern within the parentheses) which are needed to generate the regex tokens.

• Navigate to Templates > Groups > String Groups. Click CREATE. Specify the string name and type.

• Under Policies, create a matching rule with the Criteria field selected as Regex pattern matches and attach the necessary string group(s).

• You can now use regex captures as tokens in the corresponding action rule. On the GUI, you can use SG_RE[] to access these tokens. These tokens are obtained from the first string in the string group list that matched with the request Path.

• Regex captures from the query string can be accessed in the action rule using SG_RE_Q to index the required capture group.