0

At work our sites site behind a NetScaler which caches the response. I am trying to understand how this works.

So the website has authentication, if you do not have the fed-auth cookie you get a 302 response to redirect to the Oauth source. And a 200 response if the user is authenticated.

The NetScaler is setup to cache 200s responses but not 302s

My question is when I make a request since the server is determining 200 or 302 how does NetScaler know to return a cache response without going to the server?

A simple understanding of caching would lead me to the conclusion that all request would return the 200 response without checking with the server.

But that is not what we are seeing. In manual testing the site is working as expected logging people in and out as expected. However, when automated testing is applied, the user is getting the 200 cached response. I say it is the cached response because we see an ETag and a Via: NS-Cache in the headers.

If someone can point me to a resource or a short explanation so I can be better informed that would be appreciated.

StackzOfZtuff
  • 2,534
  • 1
  • 28
  • 25
Mike
  • 5,918
  • 9
  • 57
  • 94

1 Answers1

1

NetScaler's caching behavior is entirely driven by policies and RFC 2616 compliant. It is very important when you are caching such dynamic content that you understand what part of it is User specific. Anything that can be normalized, for example, by dropping User specific info like cookies, can be cached. Versus "Integrated Caching". Importance of HTTP headers.

Via: This is the most useful header when it comes to verifying that the NetScaler is participating in caching

If-Modified-Since: This is a request side header that the client uses to ask that a cache, like the NetScaler provide the full object if it has changed since the indicated date. In a large percentage of cases (talking about static objects here) those objects wouldn't have changed, which will result in a much smaller HTTP 304 response Not Modified instead of the much larger object.

We meed to see both sides of the equation. NSTRACE on Netscaler and Fiddler running on client making HTTP requests.

To take a trace from the GUI, use the start new trace option in the Diagnostics section. Packet size zero. Output to PCAP, Wireshark installed on workstation. WINSCP installed or similar to pull down the PCAP File.

SSH/CLI https://developer-docs.citrix.com/projects/netscaler-command-reference/en/12.0/basic/nstrace/nstrace/

Can you SSH/Putty to the appliance or virtual on the MGMT IP?

Login as root.

show cache stats –detail Enter

Lower down in the output, you will be able to see what percentage of hits are 304 versus non-304. The HTTP header code 304 is sent in the response instead of a full (larger) response when a client indicates that they already have a certain object and are only checking whether there is a newer copy.

To show how stats are changing over time

show cache stats -detail -ntimes 3 | grep 304

To see all cached objects

show cache object

On the left hand side is the locator ID

Deeper dive

show cache object -Locator

http://www.telerik.com/fiddler

To see client response from server

The Netscaler will respond with Etag header and Via to tell where the cache is coming from.

Hope this is pointing right direction

Brian Murphy
  • 11
  • 3