HTTP Security Policy

The following table lists both the available HTTP security match criteria and the configurable actions that can occur when a match is made.

Match Client IP: Client IP address or a group of client addresses.

  • Use a "-" to specify a range: 10.0.0.0-10.1.255.255
  • Use a "/" to specify a netmask: 10.0.0.0/24
  • Use a pre-defined IP group, which can be based on geo-location.
Service Port: The ports the virtual service is listening on.
In SNI virtual hosting and Enhanced Virtual Hosting, for policies under a child virtual service, the service match criterion is matched against its parent virtual service.
Protocol Type: HTTP or HTTPS. Example: https://www.avinetworks.com/marketing/index.html?a=1&b=2
HTTP Method: The method used by the client request. The match is true if any one of the methods that an administrator specifies is true.
The options available are GET, HEAD, POST, PUT, DELETE, OPTIONS, TRACE, and CONNECT. Starting with Avi Vantage release 18.2.3, you can also choose from the additional options: PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK.
HTTP Version: True if the client version is .9, 1.0, or 1.1
Path: The path or a group of paths. Paths do not need to begin with a ‘/’. For comparison purposes, Avi Vantage automatically omits any initial slash specified in the match field. Example: https://www.avinetworks.com/marketing/index.html
Query: A query or a group of queries. Do not add the leading ‘?’ or ‘&’ characters to a match. Example: https://www.avinetworks.com/marketing/index.html?a=1&b=2
Headers: True if a header exists, or if it exists and contains a specified value
Cookie: True if a cookie exists, or if it exists and contains a specified value
Host Header: The request’s host header. Example: https://www.avinetworks.com/marketing/index.html?a=1&b=2
Actions Logging: Selecting the logging checkbox causes Avi Vantage to log when an action has been invoked.
Action Allow: Allows matched requests to continue on to further policies or to the destination pool servers.
Action Close Conn: Matched requests will cause Avi Vantage to close the TCP connection that received the request via a FIN. Many browsers open multiple connections, which are not closed unless requests sent over those connections also trigger a close connection action.
Redirect To HTTPS: Respond to the request with a temporary redirect to the desired port for SSL.
Rate limit: Specify the maximum number of new connections, HTTP requests, bandwidth in Mbps, and/or concurrent open connections from/for/by clients.
Action Send Response: Avi Vantage may serve an HTTP response using HTTP status code 200 (success), 403 (unauthorized), or 404 (file not found). A default page is rendered by the browser for each of these status codes, or you may upload a custom .html file. This file may have links to images or other files, but only the initial html file will be stored and served via the Send Response.

HTTP security policy option in available on the Avi UI. To create or edit the existing HTTP security policy, navigate to Applications > Virtual Services, select the desired virtual services, and select the HTTP Security option.

http-security

Additional Reference