1

So I am faced with a question and I believe it isn't possible but here it goes.

I have a Netscaler Load Balancing 2 web servers via a Load Balance VIP bound to a Content Switch serving up other web servers.

I have a rewrite policy that inserts HSTS into responses for 200 and this works without issue. When the back end servers go down we logically send a 503 to the client but the client wants to include HSTS in this response.

Is this at all possible? RFC6797 for HSTS describes HSTS for a serving web site and in this case the 503 is generated by the NetScaler but I wanted to confirm this is not a possiblity.

Any help is appreciated.

2 Answers2

0

Yes this is possible. i.e use a content switch. bind your web application as policy with highest priority (lower value == higher pri.).

for instance policy 10 evals to true always. policy 10 points to your web server. policy 20 will then never be processed. if you web server goes down (referenced by policy 10) policy 10 will suddenly no longer be evaluated. Policy 20 will now be processed..

in policy 20 you put a responder policy of type "respond with" add your own friendly error message as raw http data and include hsts in the http header.. Your loadbalancer will only respond with 503 if it has no policy to process.. if you like you can respond with a 503 message in policy 20 aswell but i would reccommend to create a proper "down page" instead of a 503.

KaiT
  • 156
  • 2
0

If you are generating your 503 page using a responder action, you will have to add the HSTS header to your response manually. Responder actions are annoying that way - they shortcut most of the output path that normal backend responses go though. The Netscaler simply returns the string verbatim without examining or changing the contents. So a respondwith action returning this expression would add your header:

"HTTP/1.1 503 Service Unavailable\r\n"+
"Content-Type: text/html;charset=utf-8\r\n"+
"Strict-Transport-Security: max-age=31536000\r\n"+
"\r\n"+
"<!doctype html><html><body>
Backend server for " + HTTP.REQ.HOSTNAME + HTTP.REQ.URL.HTTP_URL_SAFE + " is not responding. 
</body></html>"