Enhanced traffic management capabilities with HTTPRoute filters
The NetScaler Kubernetes Gateway controller supports HTTPRoute filters as defined by the Kubernetes Gateway API. This feature allows you to implement sophisticated traffic manipulation logic directly within the HTTPRoute resources. By leveraging filters, you can modify requests and responses, enabling a wide range of use cases such as header manipulation, URL rewriting, and request redirection.
Integration with NetScaler CRDs by using extensionRef
The Custom Resource Definitions (CRDs) of NetScaler Ingress Controller (NSIC) can be referred through the extensionRef field within HTTPRoute filters. This powerful feature allows you to seamlessly integrate advanced NetScaler functionalities directly into your Gateway API configurations.
NSIC CRDs that can be referred through extensionRef include: rewritepolicy, ratelimit, bot, waf, appqoepolicy.
Sample reference
rules:
- filters:
- type: ExtensionRef
extensionRef:
group: "citrix.com"
kind: "<crd-kind>"
name: "<crdinstance-name>"
Note:
- CRD instances must be created without service names.
- For
extensionRefin HTTPRoute filters, the group is always “citrix.com” and the kind corresponds to the NetScaler CRD type. Valid kinds include:bot,waf,rewritepolicy,ratelimit, andappqoepolicy.
You can refer to NSIC CRDs for specialized processing, including:
- Bot Management (BOT): Protect your applications from malicious bot traffic by applying the sophisticated bot detection and mitigation techniques that NetScaler supports.
- Web Application Firewall (WAF): Secure your applications by integrating the robust WAF capabilities that NetScaler supports to inspect traffic and block known and zero-day attacks.
- Rewrite Policies: Apply advanced request and response rewriting rules beyond the standard Gateway API filters by using the rich rewrite policy engine of NetScaler.
- Ratelimit: Apply policies to manage the rate of incoming requests protecting your applications from being overwhelmed.
- AppQoe Policy: Apply policies that prioritize or limit traffic based on various criteria, ensuring optimal performance for critical applications and a fair allocation of resources.
The extensionRef mechanism acts as a bridge, allowing users to tap into the extensive feature set of NetScaler while using the Kubernetes Gateway API for traffic management.
Native support for standard HttpRoute API filters
Building upon its HTTPRoute filter support, the NetScaler Kubernetes Gateway Controller natively implements the following standard Gateway API filters.
URLRewrite
Modify the path or host name of requests before they are forwarded to the back-end service. This filter is useful for mapping user-facing URLs to internal service paths or for migrating services without changing the public URL. Example: Rewriting /old-path to /new-path or changing the request’s host name.
- filters:
- type: URLRewrite
urlRewrite:
path:
type: ReplacePrefixMatch
replacePrefixMatch: /new-path
matches:
- path:
type: PathPrefix
value: /old-path
# Rewrite /old-path/rest-of-the-url to /new-path/rest-of-the-url
RequestHeaderModifier and ResponseHeaderModifier
Add, set, or remove HTTP headers for incoming requests or outgoing responses. This filter can be used for various purposes, such as injecting tracing information, setting security headers, or modifying cache-control directives. Example: Adding an X-Forwarded-Proto header or removing an internal-only header from responses.
rules:
- filters:
- type: RequestHeaderModifier
requestHeaderModifier:
add:
- name: X-Forwarded-Proto
value: http
remove:
- Proxy-Authenticate
- type: ResponseHeaderModifier
responseHeaderModifier:
set:
- name: X-Cache
value: HIT
remove:
- Server
# Add 'X-Forwarded-Proto' and Remove 'Proxy-Authenticate' in request send to the backend.
# Set/Replace 'X-Cache' header value and Remove 'Server' header in response sent back to the client