-
Getting Started with NetScaler
-
Deploy a NetScaler VPX instance
-
Optimize NetScaler VPX performance on VMware ESX, Linux KVM, and Citrix Hypervisors
-
Apply NetScaler VPX configurations at the first boot of the NetScaler appliance in cloud
-
Configure simultaneous multithreading for NetScaler VPX on public clouds
-
Install a NetScaler VPX instance on Microsoft Hyper-V servers
-
Install a NetScaler VPX instance on Linux-KVM platform
-
Prerequisites for installing NetScaler VPX virtual appliances on Linux-KVM platform
-
Provisioning the NetScaler virtual appliance by using OpenStack
-
Provisioning the NetScaler virtual appliance by using the Virtual Machine Manager
-
Configuring NetScaler virtual appliances to use SR-IOV network interface
-
Configure a NetScaler VPX on KVM hypervisor to use Intel QAT for SSL acceleration in SR-IOV mode
-
Configuring NetScaler virtual appliances to use PCI Passthrough network interface
-
Provisioning the NetScaler virtual appliance by using the virsh Program
-
Provisioning the NetScaler virtual appliance with SR-IOV on OpenStack
-
Configuring a NetScaler VPX instance on KVM to use OVS DPDK-Based host interfaces
-
-
Deploy a NetScaler VPX instance on AWS
-
Deploy a VPX high-availability pair with elastic IP addresses across different AWS zones
-
Deploy a VPX high-availability pair with private IP addresses across different AWS zones
-
Protect AWS API Gateway using the NetScaler Web Application Firewall
-
Configure a NetScaler VPX instance to use SR-IOV network interface
-
Configure a NetScaler VPX instance to use Enhanced Networking with AWS ENA
-
Deploy a NetScaler VPX instance on Microsoft Azure
-
Network architecture for NetScaler VPX instances on Microsoft Azure
-
Configure multiple IP addresses for a NetScaler VPX standalone instance
-
Configure a high-availability setup with multiple IP addresses and NICs
-
Configure a high-availability setup with multiple IP addresses and NICs by using PowerShell commands
-
Deploy a NetScaler high-availability pair on Azure with ALB in the floating IP-disabled mode
-
Configure a NetScaler VPX instance to use Azure accelerated networking
-
Configure HA-INC nodes by using the NetScaler high availability template with Azure ILB
-
Configure a high-availability setup with Azure external and internal load balancers simultaneously
-
Configure a NetScaler VPX standalone instance on Azure VMware solution
-
Configure a NetScaler VPX high availability setup on Azure VMware solution
-
Configure address pools (IIP) for a NetScaler Gateway appliance
-
Deploy a NetScaler VPX instance on Google Cloud Platform
-
Deploy a VPX high-availability pair on Google Cloud Platform
-
Deploy a VPX high-availability pair with external static IP address on Google Cloud Platform
-
Deploy a single NIC VPX high-availability pair with private IP address on Google Cloud Platform
-
Deploy a VPX high-availability pair with private IP addresses on Google Cloud Platform
-
Install a NetScaler VPX instance on Google Cloud VMware Engine
-
-
Solutions for Telecom Service Providers
-
Load Balance Control-Plane Traffic that is based on Diameter, SIP, and SMPP Protocols
-
Provide Subscriber Load Distribution Using GSLB Across Core-Networks of a Telecom Service Provider
-
Authentication, authorization, and auditing application traffic
-
Basic components of authentication, authorization, and auditing configuration
-
Web Application Firewall protection for VPN virtual servers and authentication virtual servers
-
On-premises NetScaler Gateway as an identity provider to Citrix Cloud
-
Authentication, authorization, and auditing configuration for commonly used protocols
-
Troubleshoot authentication and authorization related issues
-
-
-
-
-
-
Configure DNS resource records
-
Configure NetScaler as a non-validating security aware stub-resolver
-
Jumbo frames support for DNS to handle responses of large sizes
-
Caching of EDNS0 client subnet data when the NetScaler appliance is in proxy mode
-
Use case - configure the automatic DNSSEC key management feature
-
Use Case - configure the automatic DNSSEC key management on GSLB deployment
-
-
-
Persistence and persistent connections
-
Advanced load balancing settings
-
Gradually stepping up the load on a new service with virtual server–level slow start
-
Protect applications on protected servers against traffic surges
-
Retrieve location details from user IP address using geolocation database
-
Use source IP address of the client when connecting to the server
-
Use client source IP address for backend communication in a v4-v6 load balancing configuration
-
Set a limit on number of requests per connection to the server
-
Configure automatic state transition based on percentage health of bound services
-
-
Use case 2: Configure rule based persistence based on a name-value pair in a TCP byte stream
-
Use case 3: Configure load balancing in direct server return mode
-
Use case 6: Configure load balancing in DSR mode for IPv6 networks by using the TOS field
-
Use case 7: Configure load balancing in DSR mode by using IP Over IP
-
Use case 10: Load balancing of intrusion detection system servers
-
Use case 11: Isolating network traffic using listen policies
-
Use case 12: Configure Citrix Virtual Desktops for load balancing
-
Use case 13: Configure Citrix Virtual Apps and Desktops for load balancing
-
Use case 14: ShareFile wizard for load balancing Citrix ShareFile
-
Use case 15: Configure layer 4 load balancing on the NetScaler appliance
-
-
-
-
-
Authentication and authorization for System Users
-
HTTP Configurations
-
-
-
Configuring a CloudBridge Connector Tunnel between two Datacenters
-
Configuring CloudBridge Connector between Datacenter and AWS Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud
-
Configuring CloudBridge Connector Tunnel between Datacenter and SoftLayer Enterprise Cloud
-
Configuring a CloudBridge Connector Tunnel Between a NetScaler Appliance and Cisco IOS Device
-
CloudBridge Connector Tunnel Diagnostics and Troubleshooting
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
HTTP configurations
Important:
Starting from NetScaler release 13.0 build 71.x, a NetScaler appliance can handle large header size HTTP requests to accommodate the L7 application requests. The header size can be configurable up to 120 KB.
HTTP configurations for a NetScaler appliance can be specified in an entity called an HTTP profile, which is a collection of HTTP settings. The HTTP profile can then be associated with services or virtual servers that want to use these HTTP configurations.
A default HTTP profile can be configured to set the HTTP configurations that are applied by default, globally to all services and virtual servers.
Note:
When an HTTP parameter has different values for service, virtual server, and globally, the value of the most-specific entity (the service) is given the highest precedence.
The NetScaler appliance also provides other approaches for configuring HTTP. Read on for more information.
The NetScaler supports a WebSocket protocol which allows browsers and other clients to create a bi-directional, full duplex TCP connection to the servers. The NetScaler implementation of WebSocket is RFC 6455 compliant.
Note:
A NetScaler appliance supports the User Source IP (USIP) address configuration for both HTTP/1.1 and HTTP/2 protocols.
Setting global HTTP parameters
The NetScaler appliance allows you to specify values for HTTP parameters that are applicable to all NetScaler services and virtual servers. This can be done using:
- Default HTTP profile
- Global HTTP command
Default HTTP profile
An HTTP profile, named as nshttp_default_profile, is used to specify HTTP configurations that are used if no HTTP configurations are provided at the service or virtual server level.
Notes:
Not all HTTP parameters can be configured through the default HTTP profile. Some settings are performed by using the global HTTP command (see the following section).
The default profile does not have to be explicitly bound to a service or virtual server.
To configure the default HTTP profile
-
Using the command line interface, at the command prompt enter:
set ns httpProfile nshttp_default_profile … -
On the GUI, navigate to System > Profiles, click HTTP Profiles and update nshttp_default_profile.
Global HTTP command
Another approach you can use to configure global HTTP parameters is the global HTTP command. In addition to some unique parameters, this command duplicates some parameters that can be set by using an HTTP profile. Any update made to these duplicate parameters is reflected in the corresponding parameter in the default HTTP profile.
For example, if the maxReusePool parameter is updated using this approach, the value is reflected in the maxReusePool parameter of the default HTTP profile (nshttp_default_profile).
Note:
We recommend you to use this approach only for HTTP parameters that are not available in the default HTTP profile.
To configure the global HTTP command
-
Using the command line interface, at the command prompt enter:
set ns httpParam … -
On the GUI, navigate to System > Settings, click Change HTTP parameters and update the required HTTP parameters.
To configure an ignore Coding scheme for connect request
To enable HTTP/2 and set HTTP/2 parameters to ignore the Coding scheme in the connect request, at the command prompt, type:
set ns httpParam [-ignoreConnectCodingScheme ( ENABLED | DISABLED )]
Example:
set ns httpParam -ignoreConnectCodingScheme ENABLED
To bind the HTTP profile to a virtual server by using the NetScaler command line
Configure HTTP profile to drop TRACE or TRACK invalid requests
You can enable the markTraceReqInval parameter to mark TRACK and TRACK requests as invalid. When you enable this option along with the dropInvalidReqs option on the virtual IP address, you can reset a client sending TRACE or TRACK requests to a NetScaler appliance.
To configure the HTTP profile using the CLI
At the command prompt, type:
set ns httpProfile <profile name> [-markTraceReqInval ENABLED | DISABLED ]
Example:
set ns httpProfile profile1 -markTraceReqInval ENABLED
Configure HTTP profile for a service group
At the command prompt, type:
add serviceGroup <serviceGroupName>@ <serviceType> [-cacheType <cacheType>] [-td <positive_integer>] [-maxClient <positive_integer>] [-maxReq <positive_integer>] [-cacheable ( YES | NO )] [-cip ( ENABLED | DISABLED ) [<cipHeader>]] [-usip ( YES | NO )] [-pathMonitor ( YES | NO )] [-pathMonitorIndv ( YES | NO )] [-useproxyport ( YES | NO )] [-healthMonitor ( YES | NO )] [-sp ( ON | OFF )] [-rtspSessionidRemap ( ON | OFF )] [-cltTimeout <secs>] [-svrTimeout <secs>] [-CKA ( YES | NO )] [-TCPB ( YES | NO )] [-CMP ( YES | NO )] [-maxBandwidth
<positive_integer>] [-monThreshold <positive_integer>] [-state ENABLED DISABLED )][-downStateFlush ( ENABLED | DISABLED )] [-tcpProfileName <string>] [-httpProfileName <string>] [-comment <string>] [-appflowLog ( ENABLED | DISABLED )] [-netProfile <string>] [-autoScale <autoScale> -memberPort <port> [-autoDisablegraceful ( YES | NO )] [-autoDisabledelay <secs>] ] [-monConnectionClose ( RESET | FIN )]
<!--NeedCopy-->
Example:
add serviceGroup Service-Group-1 HTTP -maxClient 0 -maxReq 0 -cip ENABLED -usip NO -useproxyport YES -cltTimeout 200 -svrTimeout 300 -CKA NO -TCPB NO -CMP NO -httpProfileName profile1
Configure the HTTP profile using the NetScaler GUI
To mark TRACE or TRACK invalid requests, complete the following procedure.
- Sign into NetScaler appliance and navigate to Configuration > System > Profiles.
- In the HTTP Profiles tab page, click Add.
- In the Create HTTP Profile page, select Mark TRACE Requests as Invalid option.
- Click Create.
Setting service or virtual server specific HTTP parameters
Using HTTP profiles, you can specify HTTP parameters for services and virtual servers. You have to define an HTTP profile (or use a built-in HTTP profile) and associate the profile with the appropriate service and virtual server.
Note:
You can also modify the HTTP parameters of default profiles as per your requirements.
To specify service or virtual server level HTTP configurations by using the command line interface
At the command prompt, perform the following:
-
Configure the HTTP profile.
set ns httpProfile <profile-name>... -
Bind the HTTP profile to the service or virtual server.
To bind the HTTP profile to the service:
set service <name> .....
Example:
> set service service1 -httpProfileName profile1
<!--NeedCopy-->
To bind the HTTP profile to the virtual server:
set lb vserver <name> .....
Example:
> set lb vserver lbvserver1 -httpProfileName profile1
<!--NeedCopy-->
To specify service or virtual server level HTTP configurations by using the GUI
At the GUI, perform the following:
-
Configure the HTTP profile.
Navigate to System > Profiles > HTTP Profiles, and create the HTTP profile.
-
Bind the HTTP profile to the service or virtual server.
Navigate to Traffic Management > Load Balancing > Services/Virtual Servers, and create the HTTP profile, which must be bound to the service/virtual server.
Built-in HTTP profiles
For convenience of configuration, the NetScaler provides some built-in HTTP profiles. Review the profiles listed and use it as it is or modify it to meet your requirements. You can bind these profiles to the required services or virtual servers.
| Built-in profile | Description |
|---|---|
| nshttp_default_profile | Represents the default global HTTP settings on the appliance. |
| nshttp_default_strict_validation | Settings for deployments that require strict validation of HTTP requests and responses. |
Sample HTTP configurations
Sample command line interface examples to configure the following:
- HTTP band statistics
- WebSocket connections
HTTP band statistics
Specify the band size for HTTP requests and responses.
> set protocol httpBand reqBandSize 300 respBandSize 2048
Done
> show protocol httpband -type REQUEST
<!--NeedCopy-->
WebSocket connections
Enable WebSocket on the required HTTP profile.
> set ns httpProfile http_profile1 -webSocket ENABLED
Done
> set lb vserver lbvserver1 -httpProfileName profile1
Done
<!--NeedCopy-->
Configure the NetScaler appliance to delete or pass the upgrade header to the back-end server
The passProtocolUpgrade parameter in the HTTP profile prevents attack on the back-end servers. Depending on the state of this parameter, the upgrade header is passed in the request sent to the back-end server or deleted before sending the request.
- If the passProtocolUpgrade parameter is enabled, then the upgrade header is passed to the back-end server. The server accepts the upgrade request and notifies it in its response.
- If the parameter is disabled, then the upgrade header is deleted and the remaining request is sent to the back-end server.
The passProtocolUpgrade parameter is added to the following profiles:
- nshttp_default_profile - enabled by default
- nshttp_default_strict_validation - disabled by default
- nshttp_default_internal_apps - disabled by default
- nshttp_default_http_quic_profile - enabled by default
We recommend you to set the passProtocolUpgrade parameter to disabled by default.
Set the passProtocolUpgrade parameter by using the CLI
At the command prompt, type the following:
set ns httpProfile <name> [-passProtocolUpgrade ( ENABLED | DISABLED )]
Example:
set ns httpProfile profile1 -passProtocolUpgrade ENABLED
Set the passProtocolUpgrade parameter by using the GUI
- Navigate to System > Profiles > HTTP Profiles.
- Create or edit an HTTP profile.
- Select Pass Protocol Upgrade.
Configure HTTP profile to validate host headers
From NetScaler release 14.1-21.x, NetScaler supports validating the host headers in the incoming HTTP requests to prevent host header injections or attacks.
When the host header validation is enabled, the following checks are performed:
- The length of the host header that is the IP address or the DNS name portion of the host header is not more than 255 characters.
- The port number, if specified, is not more than 5 characters because the maximum port number is 65535.
If the host header does not adhere to the defined conditions, such HTTP requests are dropped.
By default, the host header validation is disabled in default profiles and enabled in secure or strict HTTP profiles.
Validate HTTP host headers using the NetScaler CLI
At the command prompt, type the following:
set ns httpprofile <name> -hostHeaderValidation (ENABLED | DISABLED)
<!--NeedCopy-->
Example:
set ns httpProfile http_profile1 -hostHeaderValidation ENABLED
<!--NeedCopy-->
Validate HTTP host headers using the NetScaler GUI
- Navigate to System > Profiles > HTTP Profiles.
- Create or edit an HTTP profile.
- In the Configure HTTP Profile page, select Host header validation.
Configure HTTP profile to validate duplicate HTTP headers
Starting from NetScaler release 14.1-29.x, you can configure HTTP profiles to validate and manage duplicate HTTP headers, ensuring more robust and secure traffic handling. You can set a maximum of 15 duplicate headers in HTTP profiles. If the number of duplicate headers for known header fields exceeds this limit, the connection is terminated.
By default, the HTTP default profile is set to 0, maintaining the legacy behavior where duplicate header validation is not enforced. For all other profiles, the default limit is set to 15. Use the maxDuplicateHeaderFields parameter in the HTTP profile to set the maximum limit for duplicate headers. This value can be configured using the NetScaler CLI or GUI.
Validate duplicate HTTP headers using the NetScaler CLI
At the command prompt, type the following:
set ns httpprofile <name> -maxDuplicateHeaderFields <value>
<!--NeedCopy-->
Example:
set ns httpprofile http_profile1 -maxDuplicateHeaderFields 5
Validate duplicate HTTP headers using the NetScaler GUI
- Navigate to System > Profiles > HTTP Profiles.
- Create or edit an HTTP profile.
- In the Configure HTTP Profile page, enter a value in the Max Duplicate Header Fields.
Share
Share
In this article
- Setting global HTTP parameters
- Configure HTTP profile to drop TRACE or TRACK invalid requests
- Configure HTTP profile for a service group
- Setting service or virtual server specific HTTP parameters
- Built-in HTTP profiles
- Sample HTTP configurations
- Configure the NetScaler appliance to delete or pass the upgrade header to the back-end server
- Configure HTTP profile to validate host headers
- Configure HTTP profile to validate duplicate HTTP headers
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.