How the passProtocolUpgrade parameter works

How the passProtocolUpgrade parameter works

book

Article ID: CTX575741

calendar_today

Updated On:

Description

This article illustrates how passProtocolUpgrade works with detailed test results.
 

Instructions

The passProtocolUpgrade parameter in the HTTP profile prevent attacks on the back-end servers. Depending on the state of this parameter, the upgrade header is passed in the request to the back-end server or deleted before sending the request.
  • If the passProtocolUpgrade parameter is enabled, then the upgrade header is passed to the back-end server. The server accepts the upgrade request and notifies it in its response.
  • If the parameter is disabled, then the upgrade header is deleted and the remaining request is sent to the back-end server.  
Below are the tests with their results:
1: A setting of httpprofile with pass protocol upgrade option Disabled.
> show httpprofile test
        Name: test

        Pass Protocol Upgrade: DISABLED
 
Client request
GET / HTTP/1.1
User-Agent: Fiddler
Host: x.x.x.x
Upgrade: h2c
HTTP2-Settings: AAMAAABkAARAAAAAAAIAAAAA
Connection: Upgrade, HTTP2-Settings
 
Backend request.
GET / HTTP/1.1
User-Agent: Fiddler
Host: x.x.x.x
Accept-Encoding: identity
 
Upgrade related header is removed as above test depicted.
 
2: A setting of httpprofile with pass protocol upgrade option Enabled.
> show httpprofile test
        Name: test

        Pass Protocol Upgrade: ENABLED
 
In this test, Netscaler directly forwarded the packet to the backend server without modifying the HTTP header information.
 
 
 
 

Powered by Wolken Software