Nicklas Ryden1709160365 Posted March 25, 2019 Share Posted March 25, 2019 Hi, We have problems using NetScaler LB to loadbalance two Squid proxying server. The setup is quite simple: add server PROXY02-MGM 10.233.60.132 add server PROXY01-MGM 10.233.60.131 add ns httpProfile nshttp_default_profile_proxy -dropInvalReqs ENABLED -markHttp09Inval ENABLED -cmpOnPush ENABLED add serviceGroup SG_PROXY_8080 HTTP -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB YES -CMP YES -downStateFlush DISABLED -httpProfileName nshttp_default_profile_proxy add lb vserver LB_PROXY_8080 HTTP 10.233.60.151 8080 -persistenceType SOURCEIP -timeout 140 -Listenpolicy None -cltTimeout 180 -httpProfileName nshttp_default_profile_proxy bind lb vserver LB_PROXY_8080 SG_PROXY_8080 bind serviceGroup SG_PROXY_8080 PROXY01-MGM 8080 bind serviceGroup SG_PROXY_8080 PROXY02-MGM 8080 Problem: Netscaler doesn’t add the “X-Forwarded-For” header for the initial CONNECT a client sends, but the subsequential requests properly adds the header. We can see this both in the Squid logs and from network dumps. This is a problem because behind the netscaler LB proxy, a Squid server use the x-forward-for header to allow/deny connections. When the header is not set, Squid denies the connection. We want to ask if this is a known issue on the version of netscaler we have. Because we run an old version and an upgrade will be a big project for us, we want to know if the old version have a bug like this, or if we should continue to troubleshoot. NS10.5: Build 57.7.nc, Date: May 14 2015 Link to comment Share on other sites More sharing options...
Mihai Cziraki1709160741 Posted March 26, 2019 Share Posted March 26, 2019 Hi! Your http profile has dropInvalReqs enabled. That means it will drop any requests with HTTP CONNECT request method. Check this : https://support.citrix.com/article/CTX131681 So you need to disable that option or permit http connect . You can find more info in the link above. Link to comment Share on other sites More sharing options...
Nicklas Ryden1709160365 Posted March 26, 2019 Author Share Posted March 26, 2019 Hi, Changed settings accourdning to your suggestion add ns httpProfile nshttp_default_profile_proxy -markHttp09Inval ENABLED -cmpOnPush ENABLED Result is still the same, the first reqeust HTTP CONNECT doesn't contain X-Forwareded-for, but the subsequential HTTP Connect are added X-Forwareded-for. Any ideas ? /n Link to comment Share on other sites More sharing options...
Mihai Cziraki1709160741 Posted March 26, 2019 Share Posted March 26, 2019 Hi! Unfortunately i can't test this scenario. You should try to make a packet capture and see if the Netscaler sends the x-forwarded-for in the http CONNECT to the servers. As http CONNECT is used to tunnel traffic to a proxy , i don't think you need a http profile . Unbind any custom http profile . Only the initial connection request is HTTP - after that, the server simply proxies the established TCP connection. Link to comment Share on other sites More sharing options...
Paul Blitz Posted April 16, 2019 Share Posted April 16, 2019 Plan B: don't use the service group command to insert the header, use a rewrite policy instead.... Link to comment Share on other sites More sharing options...
Nicklas Ryden1709160365 Posted April 17, 2019 Author Share Posted April 17, 2019 6 hours ago, Paul Blitz said: Plan B: don't use the service group command to insert the header, use a rewrite policy instead.... Hi Paul, I've tried this, and the behavior was the same. Regardless is I used x-forwarded-for in the servicegroup or if I did a rewrite policy on the vserver. /n Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.