cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

This product reached the end of support date on March 31, 2021.

Decode used for monitoring http and https traffic traversing a proxy

jeremy_p_somers
Participant

This morning I saw the following from Alasdair Patton under Matt's question on "Location has # of users, but many show no requests"

"...if i monitor a proxy server on port 8080 and i choose the
HTTP decode, if the traffic to that server on port 8080 could be HTTP or
SSL I would only see operations for the HTTP traffic as SSL traffic
doesn't match the software service analyzer..."

So my question is how do people typically decode the HTTP and HTTPS traffic given this situation? Is it better to use the "Generic (with Transaction)" decode here, or is something else typically done?

I did notice a previous post that suggested using two AMD's and to send the same traffic to both and run HTTP on one, and HTTPS on the other. Is this still the best way as it doesn't appear to be extremely cost efficient to have to run a second AMD?

Thanks

Jeremy

5 REPLIES 5

Erik_Soderquist
Dynatrace Pro
Dynatrace Pro

Considering the mentioned host to be monitored is a proxy, I would recommend either HTTP or generic with transactions; SSL hitting a proxy is usually using the CONNECT method at the proxy itself, and the certificates/keys would be related to the various target servers, not the proxy itself. The are generally not available unless you also control the target servers, and the target servers can be more cleanly monitored directly themselves if you do.

The only caveat to that statement would be if you control the proxy and are forcibly terminating the SSL session at the proxy and creating a new SSL session to the requested server. In that instance, you control the proxy and configurations, and should be able to configure a separate port on the proxy for SSL traffic, and then use the HTTPS analyzer with the correct key on the dedicated port.

-- Erik

Thanks Erik. Yes, we are using the former method I believe where everything goes through the proxy, most likely using the CONNECT method as you suggest. And no, we don't have any certs to utilize, nor are we forcefully terminating and re-establishing sessions.

I have noticed that I can capture the URL with the HTTP traffic, using the HTTP decode however when I use the Generic (with transaction) I don't appear to get it. Is this to be expected or have I missed a configuration component somewhere?

Many thanks

Jeremy

This is to be expected. The Generic and Generic with Transactions decodes only do basic TCP stats, and in the case of the w/ trans variant, an educated guess as to what constitutes a transaction based on TCP patterns.

-- Erik

Hi Erik

If I used the HTTP Express, would that enable me to break out the internet destinations such as HTTP://WWW.GOOGLE.COM from the Proxy traffic (NV style)?

As I have no experience with the old NV probes, I simply do not know the answer to this question.

-- Erik