NetScaler ADC - Hidden vServer for HTTPS redirect
Table of Contents
Starting with release 11.1, NetScaler ADC offers an easy way to redirect traffic from HTTP to HTTPS within the configuration of a load-balanced vServer. With 11.1, Citrix introduced the paramter -redirectFromPort and -redirectURL.
While playing with a NetScaler ADC in my lab, I discovered a strange error message as I tried to configure the redirect.
[caption id=“attachment_3453” align=“alignnone” width=“382”] Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0[/caption]
Internal vserver couldn’t be set?! Okay, there was already a vServer, that was listening on port 80. After removing the vServer, I was able to setup the redirection and it was working as expected.
A hidden vServer
Later, I was really suprised to find a hidden vServer in the output of the “stat lb vserver” command.
> stat lb vserver lb_vsrv_https_httpredir_31 -fullValues
Virtual Server Summary vsvrIP port Protocol lb_vsrv_https_httpredir_31 192.168.200.146 80 HTTP
State
lb_vsrv_https_httpredir_31 DOWN
Health actSvcs
lb_vsrv_https_httpredir_31 0 0
inactSvcs
lb_vsrv_https_httpredir_31 0
Virtual Server Statistics Rate (/s) Total Vserver hits 0 0 Requests 0 0 Responses 0 0 Request bytes 108 1131 Response bytes 66 690 Total Packets rcvd 1 15 Total Packets sent 1 12 Current client connections – 3 Current Client Est connections – 0 Current server connections – 0 Requests in surge queue – 0 Requests in vserver’s surgeQ – 0 Requests in service’s surgeQs – 0 Spill Over Threshold – 0 Spill Over Hits – 0 Labeled Connection – 0 Push Labeled Connection – 0 Deferred Request 0 0 Invalid Request/Response – 0 Invalid Request/Response Dropped – 0 Vserver Down Backup Hits – 3 Current Multipath TCP sessions – 0 Current Multipath TCP subflows – 0 Done
The name of the vServer is always the same (name of the vServer plus suffix _httpredir_##). Sometimes, the vServer has an other ending number after a reboot. There is no hint to this vServer in the config of the NetScaler. The behaviour is the same for NetScaler ADC 11.1 and 12.0.
I don’t think that this some kind of a hack or an issue. But I think that’s something you should know when working with HTTPS redirection, or for troubleshooting purposes.