ProxySG & Advanced Secure Gateway

Every now and then when we browse webpages via our Proxy SG (SGOS 6.5.10.7) the style sheets do not load.
The webpage loads without the correct formating. If I reload the page once or twize the style sheet will load and the
page displays with the right formatting. This can happen to any page. What could be the problem?

We have not seen this before. It started recenty possibly after upgrading to SGOS 6.5.10.7

Hi Fredrik,

                 CSS file downloads through the proxy is just like any other file. It shouldn't be affected. Could you first see whether these CSS files are being pulled from a single domain (possibly a CDN site like aws, akamai etc). Reach-ability could be an issue but don't enough data to prove that.

It happened again just now. When visiting  https://www.svt.se  the formating was off.

Looking into the Errored Sessions table, I see several errored sessions toward  www.svtstatic.se

Error detail is "Internal error (Appliance Error), I see alot of these, have not seen them before.

Hi Fredrik,

              Appliance Error seems to be related to authentication from a quick look. What is you deployment mode ?

Explicit with PAC-file, we run IWA for authentication

Hi Fredrik,

                Can you export the Active/Errored sessions showing the "Appliance Error" and pass it to me?

I attach a screenshot

Some logs:

2018-05-22 08:36:30 9 <client IP-addr> - - internal_error DENIED "Content Servers" 500 TCP_ERR_MISS GET text/css https www.svtstatic.se 443 /video/svtvideoplayer/css/svtvideoplayer-7221c67200.css - css "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0" <proxy IP-addr> 927 355 - none - - high www.stage.svtplay.se "TV/Video Streams" <proxy IP-addr>
2018/05/22 10:38:12

2018-05-22 08:36:30 7 <client IP-addr> - - internal_error DENIED "Content Servers" 500 TCP_ERR_MISS GET application/x-javascript https www.svtstatic.se 443 /nyheter/render/manifest.3a0569347221d240689d.js - js "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0" <proxy IP-addr> 927 333 - none - - high www.stage.svtplay.se "TV/Video Streams" <proxy IP-addr>

Hi Fredrik,

                  This doesn't seems to be a request breaking due to Auth. HTTP debug should give more details on why the internal error. Can filter with client IP address too. I would recommend a TAC case also if possible.

I have opened a TAC case, thanks for the advice

Hi Fredrik,

             Thank you for the update. Do share the findings here :)

I'd look closely at CORS headers during a failed session using the browser's "developer mode". CORS and authentication redirects don't get along well, so you'll see errors while fetching the stylesheets. This is more of a problem in Chrome than IE. Not sure about Firefox though. If this turns out to be the problem, here's the policy we used to resolve it:

<Proxy>
    request.x_header.Origin.exists=yes action.add_allowed_domains(yes)

define action add_allowed_domains
    set(exception.response.x_header.Access-Control-Allow-Origin,"$(request.x_header.Origin)")
    set(exception.response.x_header.Access-Control-Allow-Credentials, "true")
    set(response.x_header.Access-Control-Allow-Origin, "$(request.x_header.Origin)")
    set(response.x_header.Access-Control-Allow-Credentials, "true")
end

<proxy>
request.x_header.origin.exists=yes authenticate(no)

Hi Dan,

             Thats the first thing I have confirmed. Fredrik's setup is explcit with PAC file.