Jump to content
Welcome to our new Citrix community!

Citrix ADC - Caching HSTS Configuration duplicate?


ScubaMiike

Recommended Posts

Hi All,

 

I've run a SSL Labs scan across a Netscaler Gateway and it's coming back with "Server provided more than one HSTS Header." This is repeated each time with a clear cache. 

 

Looking through the config:

-  Only a rewrite policy is now applied on the gateway

-  Removed the SSL configuration for specifying HSTS and max-age on the same vServer (Likely where the issue was present)

-  Verified there are no SSL profiles applied to the vserver

-  No reference to HSTS on the attached policy auth server

 

Reviewing my configuration against a test environment freshly booted on 13.1_42.47 (same config as prod without the duplicate HSTS setting ), HSTS is picked up fine as expected. I've compared both ns.conf files and can't see a difference regarding HSTS or the re-write policy/action applied.

 

Looking at the Response headers, I can see Strict-Transport-Security:  max-age=15768000 showing up twice followed by Via: NS-CACHE-10.0. 

 

Now I'm starting to think this is cached along the way and the changes to remove the double config are being presented from the cache, rather than the current config. 

 

Any thoughts on the above? If its cached, is there a way to drop the cache for this vServer (unbind caching policies?) whilst I troubleshoot/avoid rebooting the appliance at the moment? I'm guessing if I have to drop the cache, it'll just recache as new connections come in regardless which vServer they hit with the policy applied.

 

Appreciate any feedback.

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...