Pulse Secure vADC

For this example the client requests come from the CDN acting as a proxy. We don’t want to impose any limits on the CDN requests coming to the site, but we do want to stop abusive users.     In this case all client requests that we want to limit from the CDN Proxy contain a HTTP Header; for this example we’ll say True-Client-IP.  We will use the "True-Client-IP" header value as the context value for the rate class, and we already have a rate class named "clients".   A context value on a rate clasee uses a new rate class which inherits all of the rate settings from the named rate class. All connections called with the same 'context' value use the same new rate class. This allows you to shape connections based on arbitary data, such as a user name or source IP address, shaping connections from different users or source IPs independently.     #Check and run if the True-Client-IP header exists   if( !http.headerExists( "True-Client-IP" ) ){      #Use the predefined rate class named "clients"      #Use the header vale to define a context to the rate class    rate.use( "clients", http.getHeader ("True-Client-IP" ) );  }

A great usage of TrafficScipt is for managing and inserting widgets on to your site.  The attached TrafficScript code snippet inserts a Twitter Profile Widget to your site, as described here (sign in required).   To use it.   In the Stingray web interface navigate to Catalogs -> Rules and s croll down to Create new rule .  Give it a name such as Twitter Feed and select Use TrafficScript Language.  Click Create Rule to create the rule. Copy and paste the code and save the rule. Modify the $user and $tag as described in the TrafficScript code snippet.  $user is your Twitter username and $tag specifies where in the web page the feed should go. Navigate to the Rules page of your Virtual Server ( Services -> Virtual Servers -> <your virtual server> -> Rules) and add Twitter Feed as a Response Rule   Reload your webpage and you should see the Twitter feed.   # # This TrafficScript code snippet will insert a Twitter Profile widget # for user $user as described here: # https://twitter.com/about/resources/widgets/widget_profile # The widget will be added directly after $tag. The resultant page will # look like: # ... # <tag> # <Twitter feed> # ... # # Replace 'riverbed' with your Twitter username $user = "riverbed"; # # You can keep the tag as <!--TWITTER FEED--> and insert that tag into # your web page or change $tag to some existing text in your web page, ie # $tag = "Our Twitter Feed:" $tag = "<!--TWITTER FEED-->"; # Only modify text/html pages if( !string.startsWith( http.getResponseHeader( "Content-Type" ), "text/html" )) break; # # The actual code that will be inserted. Various values such as color, # height, width, etc. can be changed here. # $html = "\n\ <script charset=\"utf-8\" src=\"http://widgets.twimg.com/j/2/widget.js\"></script> \n \ <script> \n \ new TWTR.Widget({ \n \ version: 2, \n \ type: 'profile', \n \ rpp: 4, \n \ interval: 30000, \n \ width: 250, \n \ height: 300, \n \ theme: { \n \ shell: { \n \ background: '#333333', \n \ color: '#ffffff' \n \ }, \n \ tweets: { \n \ background: '#000000', \n \ color: '#ffffff', \n \ links: '#eb8507' \n \ } \n \ }, \n \ features: { \n \ scrollbar: false, \n \ loop: false, \n \ live: false, \n \ behavior: 'all' \n \ } \n \ }).render().setUser('".$user."').start(); \n \ </script><br>\n"; # This section inserts $html into the HTTP response after $tag $body = http.getResponseBody(); $body = string.replace( $body, $tag, $tag. $html); http.setResponseBody( $body );   Give it a try and let us know how you get on!   More Twitter solutions:   Traffic Managers can Tweet Too TrafficScript can Tweet Too

The Enforcer rule used by Stingray Application Firewall (SAF) will pass all requests to the local decider processes for inspection and security. For performance reasons, you may not want to inspect all requests.  For example, if some requests that are processed by your virtual server are sent to a cluster of servers hosting static content, and other requests are sent to a completely separate set of transaction servers, then it may make pragmatic sense to just inspect the requests that are routed to your transaction servers. You can whitelist a request by setting the a connection-local variable 'enforcer.whitelist' to '1'. Example The following rule should be applied to the Virtual Server prior to the SAF Enforcer rule.  It will whitelist requests only if they are using the HTTP "GET" method, do not have a Query String, and the file extension appears in the $fileTypes array #=-SAF Bypass Rule. This needs to be run as a request rule prior to the SAF Enforcer rule # Only Bypass GET Requests if ( http.getMethod() != "GET" )    break; # Only byPass requests with no Query String if ( http.getQueryString() )    break; # Array of file extensions to bypass $fileTypes = [ "css", "js", "png", "gif", "jpg" ]; # Pull out extension from path $extension = array.pop( string.split( http.getPath(), ".") ); # If the extension exists in our array, then set the whitelist flag if ( array.contains($fileTypes, $extension) ) {    connection.data.set("enforcer.whitelist", 1); }

I have several hundred websites that all use host headers in IIS. I would like to use a single virtual/Public IP address and have the traffic manager select the appropriate pool based on the host header passed in. I’ve been using a traffic script similar to the code snippet below. Is there a more efficient way to code this there will be several hundred pools and if statements? Can you do case statements in traffic script? $HostHeader = http.getHostHeader(); if( string.contains( $HostHeader, "site1.test.com" ) ){    pool.use( "Pool_site1.test.com_HTTP"); }else if( string.contains( $HostHeader, "site2.test.com" ) ){    pool.use( "Pool_site2.test.com_HTTP"); }else if( string.contains( $HostHeader, "site3.test.com" ) ){    pool.use( "Pool_site3.test.com_HTTP"); }else if( string.contains( $HostHeader, "site4.test.com" ) ){    pool.use( "Pool_site4.test.com_HTTP"); }else if( string.contains( $HostHeader, "site5.test.com" ) ){    pool.use( "Pool_site5.test.com_HTTP"); }else if( string.contains( $HostHeader, "site6.test.com" ) ){    pool.use( "Pool_site6.test.com_HTTP"); }else{    http.changeSite( " http://www.test.com " );   }

(Originally posted Aug 19 2009) Accessing Zeus' Control API from Scala is a relatively straightforward process. It is almost identical to the process you use for Java. Currently the best way to access the control API is using the Apache axis library which you can obtain here . You will also need the WSDL files describing the API. To download the WSDL files go to the Zeus Admin Server then to the online help, and look for the "Zeus Control API WSDL Files" link on the 'Manuals' page. One final dependency that needs to be satisfied is that we need the javamail package, which can be found here . Once you have downloaded and extracted these files we need to convert the WSDL files to Java code, compile them and package them up. On a Unix system you need to issue these commands, > for F in wsdl/ .wsdl ; do java –cp :axis-1_4/lib/ :javamail-1.4.1/lib/* \ org.apache.axis.wsdl.WSDL2Java $F ; done mkdir obj javac –d obj com/zeus/soap/zxtm/ / .java cd obj jar cf ZXTM-API.jar com/zeus This will produce ZXTM-API.jar which you will need to add to your classpath. We are ready to write a Scala program to list the running Virtual Servers. This mirrors our Java example quite closely which you can look at <a href="http://www.zeus.com/community/code-samples/list-running-virtual-servers-using-scala#" target=_blank>here</a> .</p> listVS.scala import com . zeus . soap . zxtm . _1_0 . _ ; import java . security . Security ; import java . security . KeyStore ; import java . security . Provider ; import java . security . cert . X509Certificate ; import javax . net . ssl . ManagerFactoryParameters ; import javax . net . ssl . TrustManager ; import javax . net . ssl . TrustManagerFactorySpi ; import javax . net . ssl . X509TrustManager ; object VSList { def main ( args : Array [ String ]) { Security . addProvider ( new MyProvider ) Security . setProperty ( "ssl.TrustManagerFactory.algorithm" , "TrustAllCertificates" ) val vsl = new VirtualServerLocator vsl . setVirtualServerPortEndpointAddress ( "https://user:[email protected]:9090/soap" ) val port = vsl . getVirtualServerPort val vs_names = port . getVirtualServerNames val enabled_vs = port . getEnabled ( vs_names ) for ( i <- 0 until vs_names . length ) if ( enabled_vs ( i ) ) println ( vs_names ( i )) } } // Below is TrustManager boiler-plate object MyTrustManagerFactory extends TrustManagerFactorySpi { override def engineInit ( keystore : KeyStore ) {} override def engineInit ( mgrparams : ManagerFactoryParameters ) {} override def engineGetTrustManagers = { Array [ TrustManager ]( new MyX509TrustManager ) } } class MyX509TrustManager extends X509TrustManager { override def checkClientTrusted ( chain : Array [ X509Certificate ], authType : String ) {} override def checkServerTrusted ( chain : Array [ X509Certificate ], authType : String ) {} override def getAcceptedIssuers : Array [ X509Certificate ] = null } class MyProvider extends Provider ( "MyProvider" , 1.0 , "Trust certificates" ) { put ( "TrustManagerFactory.TrustAllCertificates" , MyTrustManagerFactory . getClass . getName ) } Running the example is pretty simple, first compile it, > scalac -classpath ZXTM-API.jar listVS.scala then run it, > scala -classpath ZXTM-API.jar listVS Main website Mail servers Test site

If you're running Apache HTTPD, you might have seen the recent advisory (and update) which can cause "significant CPU and memory usage" by abusing the HTTP/1.1 Range header.   If you're using Stingray Application Firewall simply update your baseline rules and you will be immediately protected. Otherwise, you can use TrafficScript to block this attack:   # Updated: Remove (if present) an old name that Apache accepts, MSIE 3 vintage http.removeHeader( "Request-Range" ); $r = http.getHeader( "Range" ); if( $r && string.count( $r, "," ) >= 5 ) { # Too many ranges, refuse the request http.sendResponse( "403 Forbidden", "text/plain", "Forbidden\n", "" ); }   This simply returns a 403 Forbidden response for any request asking for more than 5 ranges (at least 5 commas in the Range header). This is in line with the advisory's suggested mitigation: we don't block multiple ranges completely because they have legitimate uses, such as PDF readers that request parts of the document as you scroll through it, and the attack requires many more ranges to be effective.

Not content with getting your Traffic Manager to tweet through the event handing system (Traffic Managers can Tweet Too), this article explains how you can tweet directly from TrafficScript.   This is more than just a trivial example; sending tweets from the event handling system requires an 'action program', and the Stingray Virtual Appliance does not include the necessary third-party libraries to conduct the OAuth-authenticated transaction.  This example also illustrates how you can construct and perform OAuth authentication from TrafficScript.   Getting started - Create your Twitter 'Application'   Tp get started, you'll need to create a twitter 'Application' that will receive and process your twitter status updates.  Follow the instructions in the Traffic Managers can Tweet Too article, up to the point where you have an application with the two public/secret key pairs:   The TrafficScript Rule   The following TrafficScript rule posts status updates using your application's and user's OAuth credentials.  The document Authorizing a request | Twitter Developers describes the process for authorizing a request using OAuth to the twitter service.   The rule is for test and demonstration purposes.  If you assign it to an HTTP virtual server (as a request rule), it will intercept all requests and look for a query-string parameter called 'status'.  If that parameter exists, it will post the value of status to twitter using the credentials in the rule.  Make sure to update the rule with the correct parameters from your twitter application.   The rule uses the TrafficScript HMAC library described in the document HowTo: Calculating HMAC hashes in TrafficScript.   # TrafficScript Twitter Client import libHMAC.rts as hmac; # Key client parameters # https://dev.twitter.com/apps/<app-id>/oauth $oauth_consumer_key = "Pplp3z4ogRW4wKP3YOlAA"; $oauth_token = "1267105740-xhMWKdsNqoKAof7wptTZ5PmNrodBJcQm1tQ5ssR"; $consumer_secret = "jbWlWYOSgzC9WXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; $oauth_token_secret = "p8GCJUZLXk1AeXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; $method = "POST"; $url = "https://api.twitter.com/1/statuses/update.json"; #------- $status = http.getFormParam( "status" ); if( ! $status ) { http.sendResponse( 200, "text/plain", "Please provide a status in the querystring (?status=...)", "" ); } $oauth = [ "oauth_consumer_key" => $oauth_consumer_key, "oauth_nonce" => string.base64encode( string.randomBytes( 32 )), "oauth_signature_method" => "HMAC-SHA1", "oauth_timestamp" => sys.time(), "oauth_token" => $oauth_token, "oauth_version" => "1.0" ]; $pstring = ""; foreach( $k in array.sort( hash.keys( $oauth ))) { $pstring .= string_escapeStrict( $k ) . "=" . string_escapeStrict( $oauth[ $k ] ) . "&"; } $pstring .= "status=". string_escapeStrict( $status ); $sbstring = string.uppercase( $method ) ."&" . string_escapeStrict( $url ) . "&" . string_escapeStrict( $pstring ); $skey = string_escapeStrict( $consumer_secret ) . "&" . string_escapeStrict( $oauth_token_secret ); $oauth["oauth_signature"] = string.base64encode( hmac.SHA1( $skey, $sbstring ) ); $body = "status=". string_escapeStrict( $status ); $oauthheader = "OAuth "; foreach( $k in hash.keys( $oauth )) { $oauthheader .= string_escapeStrict( $k ) . "=\"" . string_escapeStrict( $oauth[ $k ] ) . "\", "; } $oauthheader = string.drop( $oauthheader, 2 ); $r = http.request.post( $url, $body, "Authorization: ".$oauthheader, 10 ); $response = "Response code: ".$1." (".$4.")\n" . "Content Type: ".$2."\n" . "\n" . $r . "\n\n" . "I sent: POST " . $url ."\n" . $body . "\n\n" . " pstring: ".$pstring."\n". " sbstring: ".$sbstring."\n". " skey: ".$skey."\n". " signature: ".$oauth["oauth_signature"]."\n\n". $oauthheader ."\n"; http.sendResponse( 200, "text/plain", $response, "" ); # %-encoding to the strict standards of RFC 3986 sub string_escapeStrict( $a ) { $r = ""; while( string.length( $a ) ) { $c = string.left( $a, 1 ); $a = string.skip( $a, 1 ); $i = ord( $c ); if( ($i >= 0x30 && $i <= 0x39 ) || ( $i >= 0x41 && $i <= 0x5A ) || ( $i >= 0x61 && $i <= 0x7A ) || $i == 0x2D || $i == 0x2E || $i == 0x5F || $i == 0x7E ) { $r .= $c; } else { $h = ($i & 0xF0 ) >> 4; $l = ($i & 0x0F ); $r .= "%" . string.substring( "0123456789ABCDEF", $h, $h ) . string.substring( "0123456789ABCDEF", $l, $l ); } } return $r; }   Submit a request to this virtual server, and if all is well you should get a 200 status code response:   ... along with your first 'Hello, World' from TrafficScript:     One thing to note - twitter does rate-limit and de-dupe tweets from the same source, so repeatedly submitting the same URL without changing the query string each time is not going to work so well.   Good luck!