Jump to content
Welcome to our new Citrix community!

Netscaler destroy HTTP Header


nlffel439

Recommended Posts

Hello everyone,

 

I have the following problem and maybe someone can help me. 


The Netscaler seems to destroy the header information sent from the backend to the Client.

The header information arrives correctly from the backend, but after passing the Netscaler the header information is destroyed.

 

The " Connection:Close" becomes "Cneonction: close".

I know that this can also be related to the "keep alive feature", but I have disabled this feature globally.

 

 

Nevertheless the Netscaler still brings the wrong header information, this leads then among other things also to the fact that a web server behind the ContentSwitch with search inquiries which return too much results with the error message: 

"Error Fetching http body, No Content-Length, connection closed or chunked data".

 

But we expect the following response (direct call via internal URL):

Quote

 

HTTP/1.1 200

Access-Control-Allow-Methods: OPTIONS, POST

Access-Control-Allow-Credentials: true

Access-Control-Allow-Headers: Content-Type, Accept

OUR APPLICATION-API-Version: 5.2

Content-Type: text/xml;charset=UTF-8

Date: Tue, 30 Nov 2021 15:52:39 GMT

Connection: close

 

 

We then get the following response (via the Netscaler):

Quote

 

HTTP/1.1 200

Access-Control-Allow-Methods: OPTIONS, POST

Access-Control-Allow-Credentials: true

Access-Control-Allow-Headers: Content-Type, Accept

OUR APPLICATION-API-Version: 5.2

Content-Type: text/xml;charset=UTF-8

Date: Tue, 30 Nov 2021 15:50:11 GMT

Cneonction: close

 

 

Because of problems with HTTP1.1 we have to prevent backend Server from Sending Chunked Responses:

 

add rewrite action no_chunk replace http.req.version "\"HTTP/1.0\""
add rewrite policy no_chunk_pol true no_chunk
bind rewrite global no_chunk_pol 10 NEXT -type REQ_DEFAULT

Client (HTTP/1.1) >>>>> Netscaler (HTTP/1.0) >>>>> Web service

Maybe someone has a tip that could help me.

 

Link to comment
Share on other sites

Is this traffic being load balanced only OR also processed by app firewall or other features?

Which firmware are you using?

 

ADC natively corrupts certain headers to take over certain functions, such as connection management.  

 

If you are using AppFirewall, some of this may apply:

There used to be a Citrix KB article that summarized all header changes made by appfirewall specifically; that article in its entirety isn't online anymore, but Johannes Norz summarizes most of those changes here:  https://norz.at/?p=889

AppFirewall with request streaming will force request time chunking so the connection header has to be corrupted.

Response time processing is chunked automatically.

 

For load balancing without AppFirewall,

1) IF you disable CKA globally, please not the service or servicegroup property still overrides. Be sure this is disabled on the service or servicegroup; if on, the service propery overrides the global off. (Different parameters are handled differently in this regard, but usip/cka/tcp buffer can be off globally and still on per service or servicegroup).

2) If you are using any other request time header or body rewrite policies (or response time rewrites), then the content length header has to be corrupted as the final "rewritten" request or response is not known at time headers are generated:  https://support.citrix.com/article/CTX211605.  

 

Otherwise if the app breaks due to response time chunking, then forcing http 1.0 is the way to prevent the adc from doing it:  https://support.citrix.com/article/CTX121948

However, I'm not sure you need to bind the rewrite policy globally, why not bind it to the lb or cs vserver in use to limit the scope of these changes?

 

The only other thing would be to possibly keep the app in USIP mode (but they may brink other issues with it and may not be suitable if you are also doing content switching.)

 

 

 

 

 

 

Link to comment
Share on other sites

I have disabled Client Keep Alive on all involved services in addition to the Globalan CKA feature.

This has not brought any solution

 

I don't know which rewrite policy corrupts the content length headers here.

I use the following headers directly on the Content Switching vServer:

 

image.thumb.png.9b9879bf2ab49e2254d1af30b6d637ff.png

 

I had set the "Chunking Policy" Global first, but had no improvement, the policy is now bound to the Content Switching vServer only and to the Web Service vServer in the Content Switching backend. Unfortunately this does not bring any success either 

 

With USIP the whole content switching construct does not work anymore 

 

Link to comment
Share on other sites

  • 1 year later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...