Nova Rules

Nova Rules allow you to configure custom redirects, rewrites, access control, rate limits and more. Please familiarize yourself with the documentation before deploying any rules, as this is an advanced feature.

Usage

You can find Nova Rules in the tabbed menu navigation for any HTTP/SSL enabled ADC type, including Agent-based, API, SSL, HTTP ADCs.

Rules are seperated into Frontend Rules, and Backend Rules. Various rules types are appropriate for each configuration section, but in general:

  • Frontend rules are for altering or interacting with REQUESTS as they ARRIVE
  • Backend rules are for altering or interacting with RESPONSES as they RETURN

The Rules engine is extremely powerful, but also capable of causing unintended actions or issues with ADCs when misused. Please ask Snapt support for assistance where required.

Frontend Examples

We have provided several example rules for the most common use cases below.

Redirects

For large number of redirect rules with their own ACLs, Nova Rules is the best option. This replaces the need to have a redirect backend per Hostname. Several examples are provided below.

# Redirect all traffic with HTTP host "oldwebsite.com" to https://www.newwebsite.com
http-request redirect code 301 location https://www.newwebsite.com if { hdr(host) -i oldwebsite.com }

# Redirect any requests to /snapt to /example/snapt2
http-request redirect code 301 location /example/snapt2 if { path /snapt }

# Add a prefix /api/20220101 to any requests to /getUser* 
http-request redirect code 301 prefix /api/20220101/ if { path_beg /getUser }

# Redirect an old url to a new one
acl old_bad_path path /old/bad/path.php
http-request redirect code 301 location https://%[hdr(host)]/new/great/path.php if old_bad_path

# Change the domain of a request
http-request redirect prefix https://api.domain.com code 301 if { hdr(host) -i oldname.domain.com }

Access Control

You may restrict access to paths, hostnames, and more based on any ACL list.

# Deny any access to /api/ except for 10.0.0.0/8
http-request deny if { path_beg -i /api/ } !{ src 10.0.0.0/8 }

# Deny any access to api.snapt.net except for 10.0.0.0/8
http-request deny if { hdr(Host) -i api.snapt.net } !{ src 10.0.0.0/8 }

# Deny POST and DELETE requests to an endpoint
http-request deny if { path_beg /api/coins } { method POST DELETE }

Header Manipulation

Nova Rules support altering the headers of requests or responses, and can replace, delete or add headers to requests.

# Add a custom header to all requests
http-request add-header X-CustomHeader Example

# Rewrite any insecure cookies to have the Secure flag on
http-response replace-value Set-Cookie (.*) \1;\ Secure

# Remove a header from your responses
http-response del-header Server

Rate Limits

Rate limiting is typically done in the ADC configuraiton or WAF Profile, but advanced users can leverage our request tracking to limit clients as shown below.

# Rate limit anyone in our local network with > 500 requests in 30 seconds (gpt0 is 30s)
acl exceeds_local_limit sc_gpc0_rate(0) gt 500
http-request deny if exceeds_local_limit { src 10.0.0.0/8 }

# Rate limit everyone else with > 100 requests in 30 seconds (gpt0 is 30s)
acl exceeds_limit sc_gpc0_rate(0) gt 100
http-request deny if exceeds_limit !{ src 10.0.0.0/8 }

Allow all GET or HEAD requests, Block Other

You may base access control on HTTP verbs as well, which is extremely useful when combined with JWT authentication and scope specific limitations.

# Accept GET OR HEAD requests and skip further checks
http-request allow if { method GET } || { method HEAD }
http-request deny

Native Response Generation

Nova can respond directly to client requests with simple HTTP responses. Below is an example of replying PONG to any PING requests.

http-request return status 200 content-type "text/html; charset=utf-8" lf-string "PONG" if { path -i /ping }

Here’s a more complex example, and the results from it:

http-request return status 200 content-type "text/plain; charset=utf-8" lf-string "You're accessing: %[req.hdr(host)]:%[dst_port] \nFrom: %[src]. \n" if { path /myip }
# curl -k https://example.com/myip
You're accessing: example.com:443
From: 192.168.1.1

Path Replacement

You may replace parts of a path on requests using replace-path. The below example will add /foo to the end of the path and maintain query parameters.

# /a/b/c?x=y  -->  /a/b/c/foo?x=y
http-request replace-path ([^?]+)(\?{1}[^?]+)? \1/foo

replace-pathq allows you to perform the same action but including replacements on query strings.

# Remove the query string and add /foo
# /a/b/c?x=y  -->  /a/b/c/foo
http-request replace-pathq ([^?]+)(\?{1}[^?]+)? \1/foo

# Add x=y to the query string while adding /foo to the path
# /a/b/c?x=y  -->  /a/b/c/foo?x=y&foo=bar
http-request replace-pathq ([^?]+)(\?{1}[^?]+)? \1/foo\2&foo=bar

You may also entirely overwrite the path using set-path:

# Prepend /foo to the path
# /a/b/c?x=y  -->  /foo/a/b/c?x=y
http-request set-path /foo%[path]

# Strip off the query string
# /a/b/c?x=y  -->  /foo/a/b/c
http-request set-pathq /foo%[path]

Backend Examples

We have provided several example rules for the most common use cases below. These are for the Nova Rules in a Backend, and apply to any ADC using the Backend.

Header Manipulation

Nova Rules support altering the headers of requests or responses, and can replace, delete or add headers to requests.

# Add the via header with our hostname
http-response add-header X-Via %[env(HOSTNAME)]

# Remove cache header if exists
http-response del-header X-Cache

Backends Advanced Rules

In contrast to the above, the Nova Rules module for "Advanced Rules Editor" under your Listen and Backends section in your ADC allows you to customize your selection of backends using the Nova Rules editor.

This is an advanced feature for use with Snapt engineering assistance, and must be enabled by going to your Organization Preferences and enabling "Enable Advanced Backend Rules".

Below is an example of using this feature to set backends for an ADC.

acl zaOfficeIp src 102.36.5.244
acl usOfficeIp src 134.122.119.0/24
acl assetsImgPath path -i -m beg /assets/img 
acl assetsJsExtensions path_end .js .tx .jsx

use_backend %backend:1% if zaOfficeIp assetsImgPath || usOfficeIp assetsImgPath
use_backend %backend:2% if zaOfficeIp assetsImgPath || usOfficeIp assetsImgPath
use_backend %backend:2% if zaOfficeIp assetsJsExtensions || usOfficeIp assetsJsExtensions

To discover the %backend:X% id field you can type Backend in the editor and an autocomplete form will show for all the options.