I have an apache, which works as reverse proxy for a Netscale Gateway. Sometimes it works, but in many cases the request ends with a 500. The log always give the same error type:
[Mon Aug 20 12:51:24.541905 2018] [http:error] [pid 4919:tid 140600024221440] [client 192.168.22.194:40187] AH02430: Response header 'Set-Cookie' value of 'NSC_TASS=\x0fi\xd4a\xbd\x8e\xcf\xdek\x18\xcd:\x01\xc6d\xf1\xe6;HttpOnly;Path=/;Secure' contains invalid characters, aborting request
[Mon Aug 20 13:03:09.550947 2018] [http:error] [pid 5023:tid 140354590320384] [client 192.168.22.194:24541] AH02430: Response header 'Set-Cookie' value of 'NSC_TASS=le8M1TpPxu5GG1h8nEom8vsA\xe3\x06\x87\x8fnId=&janusWebEvent=PDClass.getJanusServerPage_webEvent_nextPhaseGC2%2C114078_pid_pdPreview_imgPath_res133136%2Fimg%2F_cid_10_clName_ADV_oidHi_10_oidLow_114073;HttpOnly;Path=/;Secure' contains invalid characters, aborting request
[Mon Aug 20 13:09:15.239058 2018] [http:error] [pid 5330:tid 140134346917632] [client 192.168.22.194:40606] AH02430: Response header 'Set-Cookie' value of 'NSC_TASS=\x95\x15\xa91e\xf8\xc8\x96\xdfI\x02\x89\xf4y\x05\xf2&;HttpOnly;Path=/;Secure' contains invalid characters, aborting request
I think it is the backslash in the cookie value, because backslashes are not allowed. Can apache skip the validating of this or can I write a rule to rewrite the cookie value to a url-encoding\utf-8... value?
My config:
<VirtualHost *:80> # a balancer managed the ssl
ServerName ng.subdomain.domain.tld
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyRequests Off
#ProxyPreserveHost On
ProxyPass / https://ng.domain2.tld/
ProxyPassReverse / https://ng.domain2.tld/
#ProxyPass / wss://ng.domain2.tld/
#ProxyPassReverse / wss://ng.domain2.tld/
ProxyPassReverseCookieDomain ng.subdomain.domain.tld ng.domain2.tld
</VirtualHost>
An easy fix would be to simply have the netscaler encrypt its session cookies.
https://support.citrix.com/article/CTX220162