AppQoE actions
After enabling the AppQoE feature, you must configure one or more actions for handling request.
Important:
No specific individual parameters are required to create an action, but you must include at least one parameter or you cannot create the action.
To configure an AppQoE action by using the command line
At the command prompt, type the following commands:
add appqoe action <name> [-priority <priority>] [-respondWith (ACS|NS) [<customfile>] [-altContentSvcName <string>] [-altContentPath <string>] [-maxConn <positive_integer>] [-delay <usecs>] [-polqDepth <positive_integer>] [-priqDepth <positive_integer>] [-dosTrigExpression <expression>] [-dosAction ( **SimpleResponse** | **HICResponse** )]show appqoe action
Example
To configure priority queuing with policy queue depths of 10 and 1000 for medium and lowest priority queues, respectively:
> add appqoe action appqoe-act-basic-prhigh -priority HIGH
Done
> add appqoe action appqoe-act-basic-prmedium -priority MEDIUM -polqDepth 10
Done
> add appqoe action appqoe-act-basic-prlow -priority LOW -polqDepth 1000
Done
> show appqoe action
1. Name: appqoe-act-basic-prhigh
ActionType: PRIORITY_QUEUING
Priority: HIGH
PolicyQdepth: 0
Qdepth: 0
1. Name: appqoe-act-basic-prmedium
ActionType: PRIORITY_QUEUING
Priority: MEDIUM
PolicyQdepth: 10
Qdepth: 0
1. Name: appqoe-act-basic-prlow
ActionType: PRIORITY_QUEUING
Priority: LOW
PolicyQdepth: 1000
Qdepth: 0
Done
<!--NeedCopy-->
To modify an existing AppQoE action by using the command line
At the command prompt, type the following commands:
set appqoe action <name> [-priority <priority>] [-altContentSvcName <string>] [-altContentPath <string>] [-polqDepth <positive_integer>] [-priqDepth <positive_integer>] [-maxConn <positive_integer>] [-delay <usecs>] [-dosTrigExpression <expression>] [-dosAction ( SimpleResponse | HICResponse )]show appqoe action
To remove an AppQoE action by using the command line
At the command prompt, type the following commands:
rm appqoe action <name>show appqoe action
Parameters for configuring an AppQoE action
-
name. A name for the new action, or the name of the existing action that you want to modify. The name can begin with a letter, number, or the underscore symbol, and can consist of from one to letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at sign (@), equals (=), colon (:), and underscore (_) symbols.
-
priority. The priority queue to which the request is assigned. When a protected web server or application is heavily loaded and cannot accept additional requests, specifies the order in which waiting requests are to be fulfilled when resources are available. The choices are:
- HIGH. Fulfills the request as soon as resources are available.
- MEDIUM. Fulfills the request after it has fulfilled all requests in the HIGH priority queue.
- LOW. Fulfills the request after it has fulfilled all requests in the HIGH and MEDIUM priority queues.
- LOWEST. Fulfills the request only after it has fulfilled all requests in higher-priority queues.
If priority is not configured, then the NetScaler appliance assigns the request to the LOWEST priority queue by default.
-
respondWith. Configures the NetScaler to take the specified Responder action when the specified threshold is reached. Must be used with one of the following settings:
- ACS: Serves content from an alternate content service. Threshold: maxConn (maximum connections) or delay.
- NS: Serves a built-in response from the NetScaler. Threshold: maxConn (maximum connections) or delay.
- NO ACTION: Serves no alternative content. Assigns connections to the LOWEST priority queue if the maxConn (maximum connections) or delay threshold is reached.
-
altContentSvcName. If -responseWith ACS is specified, the name of the alternative content service, usually an absolute URL to the web server that hosts the alternate content.
-
altContentPath. If -responseWith ( ACS NS ) is specified, the path to the alternative content. -
olqDepth. Policy queue depth threshold value for the policy queue associated with this action. When the number of connections in the policy queue associated with this action increases to the specified number, subsequent requests are assigned to the LOWEST policy queue. Minimum value: 1 Maximum value: 4,294,967,294
-
priqDepth. Policy queue depth threshold value for the specified priority queue. If the number of requests in the specified queue on the virtual server to which the policy associated with the current action is bound increases to the specified number, subsequent requests are assigned to the LOWEST priority queue. Minimum value: 1 Maximum value: 4,294,967,294
-
maxConn. The maximum number of connections that can be open for requests that match the policy rule. Minimum value: 1 Maximum value: 4,294,967,294
-
delay. The delay threshold, in microseconds, for requests that match the policy rule. If a matching request has been delayed for longer than the threshold, the NetScaler appliance performs the specified action. If NO ACTION is specified, then the appliance assigns requests to the LOWEST priority queue. Minimum value: 1 Maximum value: 599999,999
-
dosTrigExpression. Adds an optional second-level check to trigger DoS actions.
- dosAction. Action to take when the appliance determines that it or a protected server is under DoS attack. Possible values: SimpleResponse, HICResponse.
These values specify HTTP challenge-response methods for validating the authenticity of incoming requests to mitigate an HTTP-DDoS attack.
In the HTTP challenge-response generation and validation process, AppQoE uses cookies to validate the client’s response and verify that the client seems to be genuine. When sending a challenge, a NetScaler appliance generates two cookies:
Header cookie (_DOSQ). Contains client-specific information, so that the NetScaler appliance can verify the response.
Body cookie (_DOSH). Information used to validate the client machine. The client’s browser (or the user, in the case of HIC) computes a value for this cookie. The NetScaler appliance compares that value with the expected value to verify the client.
The information that the appliance sends to the client for computing the _DOSH value is based on the DoS Action configuration.
-
SimpleResponse: In this case, a NetScaler appliance splits the value and generates a JavaScript code to combine the final value. A client machine capable of computing the original value is considered genuine.
-
HICResponse: in this case, a NetScaler appliance generates two single-digit numbers and generates images for those numbers. Then, using a backpatch framework, the appliance inserts those images as base64 strings.
Limitations
-
This is not a trivial CAPTCHA implementation, which is why that term not used.
-
The validation number is based on a NetScaler-generated number that does not change for 120s. This number should be dynamic or client specific.
To configure an AppQoE action by using the configuration utility
- Navigate to App-Expert > AppQoE > Actions.
- In the details pane, do one of the following:
- To create a new action, click Add.
- To modify an existing action, select the action, and then click Edit.
- In the Create AppQoE Action or the Configure AppQoE Action screen, type or select values for the parameters. The contents of the dialog box correspond to the parameters described in “Parameters for configuring the AppQoE Action” as follows (asterisk indicates a required parameter):
- Name—name
- Action type—respondWith
- Priority—priority
- Policy Queue Depth—polqDepth
- Queue Depth—priqDepth
- DOS Action—dosAction
- Click Create or OK.