I'm having an issue with streaming responses through Citrix NetScaler when using chunked transfer encoding. I've set up a streaming endpoint in a Spring Boot application that works perfectly when accessed directly via the server's IP address but encounters issues when routed through NetScaler using a domain name.
Here's what I've configured:
Backend (Spring Boot with WebFlux): My server sends a streaming response using StreamingResponseBody. The data is sent in real-time and works as expected when I bypass NetScaler.
NetScaler Setup: I have enabled chunked transfer encoding on NetScaler, and the relevant HTTP profile is associated with the virtual server. Security features like SQL Injection protection, XSS protection, etc., are active, which, according to documentation, may convert the requests to chunked requests.
Curl Test:
Works: curl -X POST "http://172.11.11.11:8080/api..." --no-buffer
Fails: curl -X POST "https://domain-name/api..." --no-buffer
The response through NetScaler arrives all at once instead of being streamed in real time. The configuration tooltip suggests that NetScaler might be buffering the entire response due to the security features or the chunked encoding setup.
Here is a snippet of my streaming setup in Spring Boot:
return outputStream -> {
responseFlux.subscribe(chunk -> {
outputStream.write(chunk.getBytes(StandardCharsets.UTF_8));
outputStream.flush();
}, error -> {
log.error("Error in flux subscription: {}", error.getMessage());
}, () -> {
log.info("Flux completed.");
});
};
Questions:
How can I ensure that NetScaler does not buffer the streaming response? Are there specific settings in NetScaler that should be adjusted for real-time streaming through chunked transfer encoding? Could the security settings interfere with the streaming, and how can I mitigate this without compromising security? Any help or insights from those familiar with NetScaler configurations and streaming issues would be greatly appreciated!
I'm having an issue with streaming responses through Citrix NetScaler when using chunked transfer encoding. I've set up a streaming endpoint in a Spring Boot application that works perfectly when accessed directly via the server's IP address but encounters issues when routed through NetScaler using a domain name.
Here's what I've configured:
Backend (Spring Boot with WebFlux): My server sends a streaming response using StreamingResponseBody. The data is sent in real-time and works as expected when I bypass NetScaler.
NetScaler Setup: I have enabled chunked transfer encoding on NetScaler, and the relevant HTTP profile is associated with the virtual server. Security features like SQL Injection protection, XSS protection, etc., are active, which, according to documentation, may convert the requests to chunked requests.
Curl Test:
Works: curl -X POST "http://172.11.11.11:8080/api..." --no-buffer
Fails: curl -X POST "https://domain-name/api..." --no-buffer
The response through NetScaler arrives all at once instead of being streamed in real time. The configuration tooltip suggests that NetScaler might be buffering the entire response due to the security features or the chunked encoding setup.
Here is a snippet of my streaming setup in Spring Boot:
return outputStream -> {
responseFlux.subscribe(chunk -> {
outputStream.write(chunk.getBytes(StandardCharsets.UTF_8));
outputStream.flush();
}, error -> {
log.error("Error in flux subscription: {}", error.getMessage());
}, () -> {
log.info("Flux completed.");
});
};
Questions:
How can I ensure that NetScaler does not buffer the streaming response? Are there specific settings in NetScaler that should be adjusted for real-time streaming through chunked transfer encoding? Could the security settings interfere with the streaming, and how can I mitigate this without compromising security? Any help or insights from those familiar with NetScaler configurations and streaming issues would be greatly appreciated!
Share Improve this question asked Mar 12 at 9:37 Emin BilgicEmin Bilgic 1,31110 silver badges27 bronze badges1 Answer
Reset to default 0Any reverse proxy server always will "buffer the payload" because they need to read the payload to make their magics, they will change the things a little bit (sometimes they change not so little...).
When you active features like WAF (also when you make someting which requires payloads reading) on the NetScaler, it need to "read/check" the payload contents, so that it will request the backend server without any compression and, so that, to provide an acceptable performace, it will use http compression and Chunked Tranfers to delivery the content to client.
If you disable HTTP compression on the "Service Group/Service" (weird, I know), you get an non chunked response to client (I'm not sure if this behavior occurs in the all situations, unfortunately, but you can try...). But, remember, the package is being buffering behind the scenes, at least inside the proxy, so that the time aspects will change... However, if you disable HTTP Compression on the Service Group, chunked transfers will stop. At least, as far as I know... I do need to test...
But, you must mind (probably you do know) the compression will be disabled and you will get a lot a traffic on large responses payloads... I tried to post a image, I'm a rookie here and I'm not good with forums at all. I stink at speaking in English... :)
On the NetScaler... Load Balancing/Virtual Server ServiceGroup Binding/Load Balancing Service Group
Disable Service Group/Service Compression
Another option, this one outside of Netscaler (or a reverse proxy): you could use the HTTP header Cache-Control: public, no-transform to prevent any modifications by any proxy...
An last link, I do not know if you find usefull, but
https://support.citrix/s/article/CTX220664-netscaler-compression-not-working-for-the-load-balanced-traffic?language=en_US