vADC Docs

Static Content Bypass for Stingray Application Firewall

by markbod on ‎02-12-2012 02:15 AM (1,502 Views)

The Enforcer rule used by Stingray Application Firewall (SAF) will pass all requests to the local decider processes for inspection and security.

For performance reasons, you may not want to inspect all requests.  For example, if some requests that are processed by your virtual server are sent to a cluster of servers hosting static content, and other requests are sent to a completely separate set of transaction servers, then it may make pragmatic sense to just inspect the requests that are routed to your transaction servers.

You can whitelist a request by setting the a connection-local variable 'enforcer.whitelist' to '1'.

Example

The following rule should be applied to the Virtual Server prior to the SAF Enforcer rule.  It will whitelist requests only if they are using the HTTP "GET" method, do not have a Query String, and the file extension appears in the $fileTypes array


#=-SAF Bypass Rule. This needs to be run as a request rule prior to the SAF Enforcer rule


# Only Bypass GET Requests
if ( http.getMethod() != "GET" )
   break;



# Only byPass requests with no Query String
if ( http.getQueryString() )
   break;



# Array of file extensions to bypass
$fileTypes = [ "css", "js", "png", "gif", "jpg" ];



# Pull out extension from path
$extension = array.pop( string.split( http.getPath(), ".") );



# If the extension exists in our array, then set the whitelist flag
if ( array.contains($fileTypes, $extension) ) {
   connection.data.set("enforcer.whitelist", 1);
}



Comments
by ydelmont on ‎05-27-2012 01:54 PM

Hi,

 

As far as I know : "connection.data.set("enforcer.whitelist", 1);" is not referenced nor documented anywhere.

This is amazing to discover there is such hidden tips... Smiley Wink

 

Is there any other options that could be selected with a "connection.data.set" or perhaps a data.set call ?

 

Regards,

 

Yannick