Expand you Citrix NetScaler Virtual Servers with a security.txt file

A “security.txt” file is a standard proposed by security researcher Ed Foudil in 2017 as a way for websites to define a security policy. It’s akin to the well-known “robots.txt” file which specifies rules for web crawlers. The security.txt file allows website owners to provide information to security researchers about how to report security vulnerabilities or concerns.

Since April 2022, Security.txt has been an Internet Engineering Task Force (IETF) informational standard

I received a request to provide several websites with a security.txt file, which should be placed in the /.well-known directory. Since most of these websites were accessed through a Citrix NetScaler, it seemed more efficient to set this up via the Citrix NetScaler. Before I delve into the Citrix NetScaler configuration, let me briefly describe how to create a security.txt file.

The website Securitytxt.org provides an online generator, allowing you to quickly assemble your security.txt file. The Contact and Expires fields are mandatory, while the remaining fields are optional and can be filled in as desired.

After generating a security.txt file, it is advisable to sign your message with a digital signature.

On the OpenPGP website, there are several applications available for creating, signing, and verifying a PGP key. For this blog, I used GpgFronted, and the screenshots are from this application. However, as mentioned, there are many other tools that can accomplish the same tasks.

Select ‘Manage Keys’ from the menu bar, and then choose ‘New keypair’ to create a personal PGP key. This key consists of a private and public key pair. The private key is used to sign your messages and should not be shared. The public key part should be made available on your site so that it can be used to verify your signed messages.

Export the PGP key, specifically the public key. We’ll need this later and will also have to add it to our website. It should be available on your website; in my case, it’s https://www.rinkspies.com/pgp-key.txt.

Next, paste the content of the previously created security.txt into the tool. Then, select the newly created PGP key and click on ‘Sign’ from the menu bar. This action will sign the text within security.txt with your personal PGP signature.

Save the file signed with the PGP key as “security.txt”. We then upload the security.txt (/.well-known/security.txt) and the public part of your pgp-key.txt (/pgp-key.txt) files to your website.

Following that, we proceed to create two Responder actions and policies on the Citrix NetScaler, one for pgp-key.txt and the other for /.well-known/security.txt. While this can be accomplished through the NetScaler GUI, I will demonstrate using the CLI (Command Line Interface).

add responder action RES_ACT_Security_txt redirect "\"https://www.rinkspies.com/.well-known/security.txt\""

add responder policy RES_POL_Security_txt "HTTP.REQ.URL.PATH.STARTSWITH(\"/.well-known/security.txt\")" RES_ACT_Security_txt

add responder action RES_ACT_PGP_Key redirect "\"https://www.rinkspies.com/pgp-key.txt\""

add responder policy RES_POL_PGP_KEY "HTTP.REQ.URL.PATH.STARTSWITH(\"/pgp-key.txt\")" RES_ACT_PGP_Key

In the example above, I uploaded the necessary files security.txt and pgp-key.txt to an external website, but what if you don’t have them or don’t want to use them? Well, in that case, you can also have the files created via a Responder Respondwith action. In that case, you replace the previously created Responder actions with the following

add responder action RES_ACT_PGP_Key respondwith "\"-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nmQINBGYf6a4BEADUdLxrJ8qDDy3QVu1t+ZmrpOaTRSKKitWkIPWAjdaTU+1WD6YF\nOMD3GlKeDbUHOQ6+bx9kHimkxZIg4FhUpqopT9PDqtjNdsLrxWzrGuTqGRRWCt8w\nmpGRlRTt9cg6sfmTZcKTYY0jCNHzrkNMmQ+47gg4ET6WLN1+2OKnV6Gf0NZJdMoT\nsRNe5VogAMqaIwoAHwEhRzMEyhCsh91i8CmNFzfZpLMZ5kp+o5EYrLWwroCXR1/s\nzVOvNQaCvRKiJ+ujSWPRHQAnNFxC2knuCbRAa4Nw+oImWIkQx55S1i2jRVgjzd3k\ntR+GTKTszEqtjBZW8w/DP3T5WVg8ZK+mGuuvjqUPnvvEXvJVqEu2cTbe5sFHHTn4\n3ebZ7Xy4R9+C5ycFSQXrBUMjBNOVJDzHywzBi0fRTGsjo7g/pzD9pOFTXjMwHHDW\nlA+aO1gwlD5JS5LD8ZmiMHaApS/Guyqd0OIniUVZb8g1jLPI7WmyScBp56YgZiAH\nFgurggixklUlXgjEKteqpMwYKUsKVlTlIOWkcx4mgsCbChA319K3MOHGH1wDhoMw\nawAaPNnEgPbfT/E84m9hsxaQkJ8GtjnrhKvpMC9I2YBJaXJrRYJ6ADEglBT9secJ\n6bIA5jf+9JehmBjfDIPDPzxu+ueZH6gE9alJfyXwQ7D1ACsWSvHAz8LshQARAQAB\ntCZSaW5rU3BpZXMgLSAyMDI0KCk8Y2VydEByaW5rc3BpZXMuY29tPokCVwQTAQgA\nQRYhBAoQExY2zNsqDXYyjjz8c0fswjBrBQJmH+muAhsvBQkDwmXuBQsJCAcCAiIC\nBhUKCQgLAgQWAgMBAh4HAheAAAoJEDz8c0fswjBrsxAQAJD2uST9Rb9rSbA45xiB\nik/EQzsw8APzX1j2zacd55HjtBnMAkDDg1kDbXrE6qdDeoOTLFTwT5yhhJ8R2qmG\nR4BFBIj8fPIGfDfKjgIPcLFol/pXxdd4mnVcYh8Oh43H0Aioe37/GnZw/4FT8jpw\nFRPmoRP1eLZoZBGNigffLaPkNoHd5tT3VSxkH2qFLaDBFAtE1rJsLlTG1l3+77GF\nNJHrLEiFDd/RTtqx8j/Tf33idYwY1n2agIIkzy+k6reFtbFfn8ywqgUbmKV6Ibyq\nO3+SjMhE72py1UjBdpOq861xG+16YwOSkaOLpJTYJQqLy+5bPF4xVhJKEFuDHux+\nKdYkhJG/F3xqqMkGGg3LbMOcv0Q+VWKVpg/DFEG8jAHAGT/dImxCbKvCeLAB20o3\n0n4T9Tw1MbOkHZxjEwWoLWwZwDPC1mSt/d0GMxeObYFaLcNJTP78iUqNfDDFz5BH\na+Cls76fWTLs5j6ucJQ/oUKFx4mfhHCkal2WrEjjJfThqmbfGtZ7gKYxGgwAqct5\ngdyNjnwZElaOF+DmT4TUOPE5Fk3oXGnPq3Euz9bfBx9D/xBbltLTX0IRDbqpsR7d\nQVbpiGfXmFhwAxPuWgimltBRUm1G/Ec7UvSQCAqOyCYuOnypsBObaQaEjIdjKt4v\nn9UpKY2fiVckmezS7QpMxX4A\n=h0gn\n\n-----END PGP PUBLIC KEY BLOCK-----\"" -comment pgp-key.txt

add responder action RES_ACT_Security_txt respondwith "\"-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nContact: mailto:security@rinkspies.com\nExpires: 2025-12-30T23:00:00.000Z\nEncryption: https://www.rinkspies.com/pgp-key.txt\nPreferred-Languages: nl, en\nCanonical: https://www.rinkspies.com/.well-known/security.txt\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCAAdFiEEChATFjbM2yoNdjKOPPxzR+zCMGsFAmYf6qMACgkQPPxzR+zC\nMGt8jg/+Iq434mmrzkumTvnpAEVRPovNaCXY8bxdvjUBZ3khD25KbhWtzDgE71XG\n3BxKqG1nbGuGOFXpdxzKXABsicgYd6JxNrWN3nLMBkLCScsTUcN3e1vnFCFsCX5l\nvGKowttuOpZ9xgCPTWK9iJON7KXk1Hip+NvYTL2s9Pwovd5LX7kvZjXmNChhCwr2\nmYtfipFJYhDVq+wp6kG2Bo9UpYdbTs5EtufJyyCDTaaHGl1IUE75O308n/7O+yTc\negulr1K8hqanJhojShOWZDWAZ+86RnPHVi7NRHGMTJb4ssbA/z1uX/3Vt2QV9Y1o\n3kyl61GNBt94VKJPoWDw5OqoZDQt9EtUPQh4CnfV2dSkHNm0b5/8zoFLWobDYIb6\n5I6LRWXxeLWRJqv0PsFnSVcXOyUd+s82/UifaVuATosIDiGE8CEdEK5OdBDBUICh\nAFntEORfBsuJsjoPEquXwddiLxIgTVf0tvXP87/Li0p9q+l7sk86rSvVzQ5Xbs1S\nt+fFpf6lrcZoc4RaozIMnWNGl5Ntc7ETp3F52UDVS1Rq+gWGfHXLaUkyv/oeFiWu\nB5aX+7udqcbS7JWuNikcvJIz7i/e/+GST8+BUJ+6k1xsIk80GRo6X8arSM55UKB+\nMe5n6XmkFxKt3brPJ4VB/6k2VFQJKuFX7v87ORlrnywWpffKkk8=\n=/dDm\n-----END PGP SIGNATURE-----\"" -comment Security.txt	

To complete the setup, we link these Responder Policies to all our virtual servers, each of which should contain a security.txt file. In this example, I’m connecting them to a Content Switching virtual server named MyContentSwitch..

bind cs vserver MyContentSwitch -policyName RES_POL_Security_txt -priority 110 -gotoPriorityExpression END -type REQUEST

bind cs vserver MyContentSwitch -policyName RES_POL_PGP_KEY -priority 100 -gotoPriorityExpression END -type REQUEST