ADC

HTTP configurations

Important:

Starting from NetScaler release 13.0 build 71.x, a NetScaler appliance can handle large header size HTTP requests to accommodate the L7 application requests. The header size can be configurable up to 120 KB.

HTTP configurations for a NetScaler appliance can be specified in an entity called an HTTP profile, which is a collection of HTTP settings. The HTTP profile can then be associated with services or virtual servers that want to use these HTTP configurations.

A default HTTP profile can be configured to set the HTTP configurations that are applied by default, globally to all services and virtual servers.

Note:

When an HTTP parameter has different values for service, virtual server, and globally, the value of the most-specific entity (the service) is given the highest precedence.

The NetScaler appliance also provides other approaches for configuring HTTP. Read on for more information.

The NetScaler supports a WebSocket protocol which allows browsers and other clients to create a bi-directional, full duplex TCP connection to the servers. The NetScaler implementation of WebSocket is RFC 6455 compliant.

Note:

A NetScaler appliance supports the User Source IP (USIP) address configuration for both HTTP/1.1 and HTTP/2 protocols.

Setting global HTTP parameters

The NetScaler appliance allows you to specify values for HTTP parameters that are applicable to all NetScaler services and virtual servers. This can be done using:

  • Default HTTP profile
  • Global HTTP command

Default HTTP profile

An HTTP profile, named as nshttp_default_profile, is used to specify HTTP configurations that are used if no HTTP configurations are provided at the service or virtual server level.

Notes:

  • Not all HTTP parameters can be configured through the default HTTP profile. Some settings are performed by using the global HTTP command (see the following section).

  • The default profile does not have to be explicitly bound to a service or virtual server.

To configure the default HTTP profile

  • Using the command line interface, at the command prompt enter:

    set ns httpProfile nshttp_default_profile …

  • On the GUI, navigate to System > Profiles, click HTTP Profiles and update nshttp_default_profile.

Global HTTP command

Another approach you can use to configure global HTTP parameters is the global HTTP command. In addition to some unique parameters, this command duplicates some parameters that can be set by using an HTTP profile. Any update made to these duplicate parameters is reflected in the corresponding parameter in the default HTTP profile.

For example, if the maxReusePool parameter is updated using this approach, the value is reflected in the maxReusePool parameter of the default HTTP profile (nshttp_default_profile).

Note:

We recommend you to use this approach only for HTTP parameters that are not available in the default HTTP profile.

To configure the global HTTP command

  • Using the command line interface, at the command prompt enter:

    set ns httpParam …

  • On the GUI, navigate to System > Settings, click Change HTTP parameters and update the required HTTP parameters.

To configure an ignore Coding scheme for connect request

To enable HTTP/2 and set HTTP/2 parameters to ignore the Coding scheme in the connect request, at the command prompt, type:

set ns httpParam [-ignoreConnectCodingScheme ( ENABLED | DISABLED )]

Example:

set ns httpParam -ignoreConnectCodingScheme ENABLED

To bind the HTTP profile to a virtual server by using the NetScaler command line

Configure HTTP profile to drop TRACE or TRACK invalid requests

You can enable the markTraceReqInval parameter to mark TRACK and TRACK requests as invalid. When you enable this option along with the dropInvalidReqs option on the virtual IP address, you can reset a client sending TRACE or TRACK requests to a NetScaler appliance.

To configure the HTTP profile using the CLI

At the command prompt, type:

set ns httpProfile <profile name> [-markTraceReqInval ENABLED | DISABLED ]

Example:

set ns httpProfile profile1 -markTraceReqInval ENABLED

Configure HTTP profile for a service group

At the command prompt, type:

add serviceGroup <serviceGroupName>@ <serviceType> [-cacheType <cacheType>] [-td <positive_integer>] [-maxClient <positive_integer>] [-maxReq <positive_integer>] [-cacheable ( YES | NO )] [-cip ( ENABLED | DISABLED ) [<cipHeader>]] [-usip ( YES | NO )] [-pathMonitor ( YES | NO )] [-pathMonitorIndv ( YES | NO )] [-useproxyport ( YES | NO )] [-healthMonitor ( YES | NO )] [-sp ( ON | OFF )] [-rtspSessionidRemap ( ON | OFF )] [-cltTimeout <secs>] [-svrTimeout <secs>] [-CKA ( YES | NO )] [-TCPB ( YES | NO )] [-CMP ( YES | NO )] [-maxBandwidth
<positive_integer>] [-monThreshold <positive_integer>] [-state ENABLED DISABLED )][-downStateFlush ( ENABLED | DISABLED )] [-tcpProfileName <string>] [-httpProfileName <string>] [-comment <string>] [-appflowLog ( ENABLED | DISABLED )] [-netProfile <string>] [-autoScale <autoScale> -memberPort <port> [-autoDisablegraceful ( YES | NO )] [-autoDisabledelay <secs>] ] [-monConnectionClose ( RESET | FIN )]

<!--NeedCopy-->

Example:

add serviceGroup Service-Group-1 HTTP -maxClient 0 -maxReq 0 -cip ENABLED -usip NO -useproxyport YES -cltTimeout 200 -svrTimeout 300 -CKA NO -TCPB NO -CMP NO -httpProfileName profile1

Configure the HTTP profile using the NetScaler GUI

To mark TRACE or TRACK invalid requests, complete the following procedure.

  1. Sign into NetScaler appliance and navigate to Configuration > System > Profiles.
  2. In the HTTP Profiles tab page, click Add.
  3. In the Create HTTP Profile page, select Mark TRACE Requests as Invalid option.
  4. Click Create.

Setting service or virtual server specific HTTP parameters

Using HTTP profiles, you can specify HTTP parameters for services and virtual servers. You have to define an HTTP profile (or use a built-in HTTP profile) and associate the profile with the appropriate service and virtual server.

Note:

You can also modify the HTTP parameters of default profiles as per your requirements.

To specify service or virtual server level HTTP configurations by using the command line interface

At the command prompt, perform the following:

  1. Configure the HTTP profile.

    set ns httpProfile <profile-name>...

  2. Bind the HTTP profile to the service or virtual server.

    To bind the HTTP profile to the service:

set service <name> .....

Example:

> set service service1 -httpProfileName profile1
<!--NeedCopy-->

To bind the HTTP profile to the virtual server:

set lb vserver <name> .....

Example:

> set lb vserver lbvserver1 -httpProfileName profile1
<!--NeedCopy-->

To specify service or virtual server level HTTP configurations by using the GUI

At the GUI, perform the following:

  1. Configure the HTTP profile.

    Navigate to System > Profiles > HTTP Profiles, and create the HTTP profile.

  2. Bind the HTTP profile to the service or virtual server.

    Navigate to Traffic Management > Load Balancing > Services/Virtual Servers, and create the HTTP profile, which must be bound to the service/virtual server.

Built-in HTTP profiles

For convenience of configuration, the NetScaler provides some built-in HTTP profiles. Review the profiles listed and use it as it is or modify it to meet your requirements. You can bind these profiles to the required services or virtual servers.

Built-in profile Description
nshttp_default_profile Represents the default global HTTP settings on the appliance.
nshttp_default_strict_validation Settings for deployments that require strict validation of HTTP requests and responses.

Sample HTTP configurations

Sample command line interface examples to configure the following:

  • HTTP band statistics
  • WebSocket connections

HTTP band statistics

Specify the band size for HTTP requests and responses.

> set protocol httpBand reqBandSize 300 respBandSize 2048

> show protocol httpband -type REQUEST
<!--NeedCopy-->

WebSocket connections

Enable WebSocket on the required HTTP profile.

> set ns httpProfile http_profile1 -webSocket ENABLED

> set lb vserver lbvserver1 -httpProfileName profile1

<!--NeedCopy-->

Configure the NetScaler appliance to delete or pass the upgrade header to the back-end server

The passProtocolUpgrade parameter in the HTTP profile prevents attack on the back-end servers. Depending on the state of this parameter, the upgrade header is passed in the request sent to the back-end server or deleted before sending the request.

  • If the passProtocolUpgrade parameter is enabled, then the upgrade header is passed to the back-end server. The server accepts the upgrade request and notifies it in its response.
  • If the parameter is disabled, then the upgrade header is deleted and the remaining request is sent to the back-end server.

The passProtocolUpgrade parameter is added to the following profiles:

  • nshttp_default_profile - enabled by default
  • nshttp_default_strict_validation - disabled by default
  • nshttp_default_internal_apps - disabled by default
  • nshttp_default_http_quic_profile - enabled by default

We recommend you to set the passProtocolUpgrade parameter to disabled by default.

Set the passProtocolUpgrade parameter by using the CLI

At the command prompt, type the following:

set ns httpProfile <name> [-passProtocolUpgrade ( ENABLED | DISABLED )]

Example:

set ns httpProfile profile1 -passProtocolUpgrade ENABLED

Set the passProtocolUpgrade parameter by using the GUI

  1. Navigate to System > Profiles > HTTP Profiles.
  2. Create or edit an HTTP profile.
  3. Select Pass Protocol Upgrade.

Configure HTTP profile to validate host headers

From NetScaler release 14.1-21.x, NetScaler supports validating the host headers in the incoming HTTP requests to prevent host header injections or attacks.

When the host header validation is enabled, the following checks are performed:

  • The length of the host header that is the IP address or the DNS name portion of the host header is not more than 255 characters.
  • The port number, if specified, is not more than 5 characters because the maximum port number is 65535.

If the host header does not adhere to the defined conditions, such HTTP requests are dropped.

By default, the host header validation is disabled in default profiles and enabled in secure or strict HTTP profiles.

Validate HTTP host headers using the NetScaler CLI

At the command prompt, type the following:

set ns httpprofile <name> -hostHeaderValidation (ENABLED | DISABLED)
<!--NeedCopy-->

Example:

set ns httpProfile http_profile1 -hostHeaderValidation ENABLED
<!--NeedCopy-->

Validate HTTP host headers using the NetScaler GUI

  1. Navigate to System > Profiles > HTTP Profiles.
  2. Create or edit an HTTP profile.
  3. In the Configure HTTP Profile page, select Host header validation.

Configure HTTP profile to validate duplicate HTTP headers

Starting from NetScaler release 14.1-29.x, you can configure HTTP profiles to validate and manage duplicate HTTP headers, ensuring more robust and secure traffic handling. You can set a maximum of 15 duplicate headers in HTTP profiles. If the number of duplicate headers for known header fields exceeds this limit, the connection is terminated. By default, the HTTP default profile is set to 0, maintaining the legacy behavior where duplicate header validation is not enforced. For all other profiles, the default limit is set to 15. Use the maxDuplicateHeaderFields parameter in the HTTP profile to set the maximum limit for duplicate headers. This value can be configured using the NetScaler CLI or GUI.

Validate duplicate HTTP headers using the NetScaler CLI

At the command prompt, type the following:

set ns httpprofile <name> -maxDuplicateHeaderFields <value>
<!--NeedCopy-->

Example:

set ns httpprofile http_profile1 -maxDuplicateHeaderFields 5

Validate duplicate HTTP headers using the NetScaler GUI

  1. Navigate to System > Profiles > HTTP Profiles.
  2. Create or edit an HTTP profile.
  3. In the Configure HTTP Profile page, enter a value in the Max Duplicate Header Fields.