How to set up HTTP header rewrite rules?
To set up HTTP header rewrite rules, navigate to ' Multi CDN' > 'HTTP header rewrite'.
You need to set the target domain from the ' Operation level panel'.
First, click the 'Add rule' button, then follow the two simple steps below to set up HTTP header rewrite rules.
Set up rule conditions
First, enter a rule name. Then you can specify the field, operator, and their corresponding values.
![Figure Needed: Screenshot showing HTTP header rewrite rule condition setup interface]
The 'Operator' defines how the "actual user request field and its values" relate to the "set rule field and its values". Such that when the two match, it will execute a response defined in the HTTP header rewrite action (e.g. Redirect, Replace, Force HTTPs). While 'Filter value' and 'Value' specifies the value in/of the header or URI path that you wish to apply the HTTP header rewrite to.
The table below specifies the possible input values for the filter value, operator, and value, in a specified field.
| Field | Filter value | Operator | Value |
|---|---|---|---|
| Parameter in REQUEST/GET/POST | Parameter name | Check this article | Parameter value |
| Any parameter in REQUEST/GET/POST | n/a | Check this article | Parameter value |
| # of parameters in REQUEST/GET/POST | Parameter name | =, >=, >, < | Integer |
| # of all parameters in REQUEST/GET/POST | n/a | =, >=, >, < | Integer |
| Parameter name in REQUEST/GET/POST | n/a | Check this article | Parameter name |
| # of parameter names in REQUEST | n/a | =, >=, >, < | Integer |
| Method in REQUEST | n/a | Check this article | Method |
| Header in REQUEST | Header name | Check this article | Header value |
| Any header in REQUEST | n/a | Check this article | Header value |
| # of header in REQUEST | Header name | =, >=, >, < | Integer |
| # of all headers in REQUEST | n/a | =, >=, >, < | Integer |
| Header name in REQUEST | n/a | Check this article | Header name |
| URI in REQUEST w/ query string | n/a | Check this article | URI value |
| URI in REQUEST w/ query string | n/a | Check this article | URI value |
| Geo location | n/a | Include, exclude | Country |
Field and operator definitions:
- REQUEST means request from any methods, i.e. it can be a GET request, POST request, PUT request, etc.
- GET (or POST) specifically means a GET (or POST) request (not just any request method).
- = means equal, >= means not equal, > means greater than, and < means less than.
- Include and exclude means what they meant, i.e to include and to exclude.
Filter value and value definitions:
- Parameter is what comes after "?" in a URL. Given a parameter: color=blue, the parameter name is "color", and the parameter value is "blue".
- Method means request method, e.g. GET, POST, PUT, DELETE, CONNECT, etc.
- There are 3 kinds of headers: General headers, Request headers, and Response headers. Header name/value in REQUEST means, a header name: header value on request header, e.g. host: developer.mozilla.org, user-agent: Mozilla/5.0, accept: application/xhtml+xml, etc.
You can add more conditions by pressing the '+' button. You can also delete a condition by pressing the 'Trash' icon on the right hand side of the condition.
You can see the summary description of the conditions you created as shown by the 'Hand pointer' icon.
Set up rule actions
A specific action will be executed when the user request matches the condition/s you set above are met.
You can set the specific actions by choosing one of the following: Redirect, Replace request header, Replace response header, Replace(legacy) and Force HTTPS.
![Figure Needed: Screenshot showing HTTP header rewrite action selection dropdown]
- Redirect: VNIS will redirect the request when the conditions are met. You can set the redirect status code (30x), and the link which is the URL where you want to redirect the request to.
- Replace request header: VNIS will replace the header value of a given request header name when the condition/s are met.
- Replace response header: VNIS will replace the header value of a given response header name when the condition/s are met.
- Replace(legacy): VNIS will replace the header value of a given request/response header name when the condition/s are met.
- Force HTTPS: VNIS will enable HTTPS connection when the conditions are met. This will redirect users to the secured HTTPS version of the website (As long as the website has an SSL certificate).
Supports type of replace header value field
Only replace request header and replace response header support dynamic content.
- Set static value - Sets the value of an HTTP request header to a static string value. Overrides the value of an existing header with the same name or adds a new header if it does not exist.
- Set dynamic value - Sets the value of an HTTP request header according to the provided expression. Overrides the value of an existing header with the same name or adds a new header if it does not exist.
- Remove header - Removes the HTTP request header with the provided name, if it exists.
After you finish setting the conditions and actions, click the 'Create' button to create the edge rule.
Limitation of header name field on portal
Following shows which headers are supported in request and response headers.
| Header name | Request | Response |
|---|---|---|
| User-Agent | Ok | Ok |
| Accept | Ok | Ok |
| Accept-Encoding | Ok | Ok |
| Accept-Language | Ok | Ok |
| Referer | Ok | Ok |
| CoOkie | No | Ok |
| Authorization | Ok | Ok |
| X-Forwarded-For | No | Ok |
| X-Real-IP | No | Ok |
| Host | No | Ok |
| Connection | No | Ok |
| Upgrade | No | Ok |
| Cache-Control | No | Ok |
| Content-Type | No | Ok |
| ETag | No | Ok |
| Last-Modified | Ok | Ok |
| Location | Ok | Ok |
| Strict-Transport-Security | Ok | Ok |
| Vary | No | Ok |
| X-Content-Type-Options | Ok | Ok |
| X-Frame-Options | Ok | Ok |
| X-XSS-Protection | Ok | Ok |
Supports predefined dynamic values list detail
| Field | Description |
|---|---|
| http.cookieString | Represents the entire cookie as a string. Example value:session=8521F670545D7865F79C3D7BEDC29CCE;-background=light |
| http.hostString | Represents the host name used in the full request URI. Example value:www.demo.org |
| http.refererString | Represents the HTTP Referer request header, which contains the address of the web page that linked to the currently requested page. Example value:Referer: https://www.demo.org/index.jsp |
| http.request.full_uriString | Represents the full URI as received by the web server (does not include #fragment, which is not sent to web servers). Example value:https://www.demo.org/inedx?oid=5139061&command=comments |
| http.request.methodString | Represents the HTTP method, returned as a string of uppercase characters. Example value:GET, POST |
| http.request.cookiesMap<String><Array> | Represents the Cookie HTTP header associated with a request as a Map (associative array). The cookie values are not pre-processed and retain the original case used in the request. Decoding: The cookie names are URL decoded. If two cookies have the same name after decoding, their value arrays are merged. Example:any(http.request.cookies["app"][*] == "test") Example value:{"app": ["test"]} |
| http.request.timestamp.secInteger | Represents the timestamp when Cloudflare received the request, expressed as Unix time in seconds. This value is 10 digits long. To obtain the timestamp milliseconds, use the http.request.timestamp.msec field. Example value:1486060168 |
| http.request.timestamp.msecInteger | Represents the millisecond when WAF received the request, between 0 and 999. To obtain the complete timestamp, use both http.request.timestamp.sec and http.request.timestamp.msec fields. Example value:157 |
| http.request.uriString | Represents the URI path and query string of the request. Example value:/articles/index?oid=539061&commnad=comments |
| http.request.uri.pathString | Represents the URI path of the request. Example value:/test/index |
| http.request.uri.queryString | Represents the entire query string, without the ? delimiter. Example value:oid=539061&command=comments |
| http.user_agentString | Represents the HTTP user agent, a request header that contains a characteristic string to allow identification of the client operating system and web browser. Example value:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 |
| http.request.versionString | Represents the version of the HTTP protocol used. Use this field when you require different checks for different versions. Example Values: HTTP/1.1 |
| http.x_forwarded_forString | Represents the full X-Forwarded-For HTTP header. Example value:59.10.131.15, 110.31.33.19 |
| ip.srcIP address | Represents the client TCP IP address, which may be adjusted to reflect the actual address of the client by using, for example, HTTP headers such as X-Forwarded-For or X-Real-IP. Example value:93.184.216.34 |
| ip.geoip.country String | Represents the 2-letter country code in ISO 3166-1 Alpha 2 format. Example value:GB For more information on the ISO 3166-1 Alpha 2 format, refer to ISO 3166-1 Alpha 2 on Wikipedia. |
Remove and modify response header behavior
Some specific response header should not be modified or deleted by nginx. Following is the test result of removing the response header.
It is recommended that you do not delete or modify the following specific headers, as it will affect the performance and correctness of the response.
| remove response header | could be removed |
|---|---|
| Content-Type | TRUE |
| Content-Length | TRUE |
| Connection | FALSE |
| Server | TRUE |
| Date | FALSE |
| Last-Modified | TRUE |
| Vary | TRUE |
| ETag | TRUE |
| Accept-Ranges | TRUE |
| Via | FALSE |