This is just a short blog post to describe an issue you might get with the tenant or portal HTML UI in vCloud Director where you will see errors in the browser related to request header fields too large.
You will see it more likely with Chrome browser and if your cloud domain is shared with other services. The root cause is that the browser API calls will stop working once the request header gets larger than 8 KBs. While 8 KBs seems like big enough size especially as the request headers vCloud Director uses contain only session ID, JWT token and possibly load balancers headers it also includes all the browser cookies applicable to the vCloud Director domain stored by other web services.
The temporary fix is for the end-user to delete her browser cookies. But is there something the provider could do?
In our case we saw the situation where the vCloud Director instance was on *.vmware.com domain and the browser contained lots of large OAM cookies related to VMware Single Sign-On solution. While those cookies are essential for multiple VMware internal applications, there is no reason for vCloud Director to receive them in every API request. One way how to block the cookies and thus decrease the request header size is to remove them at the load balancer. With NSX-V load balancer this can be accomplished by utilizing SSL L7 termination and an application rule (see my older blog post how to configure NSX-V Edge Load balancer).
In my case the application rule I use is:
Update 2019/10/24: The initial rule would remove all Cookies. I have now amended it with another rule that removes all but vcloud_session_id and vcloud_jwt cookies if they are present.
reqirep ^Cookie:\s.*(vcloud_session_id=[^;]*)|(vcloud_jwt=[^;]*) Cookie:\ \1;\ \2
reqidel ^Cookie:.*OAM*
which deletes all cookies from the request header starting with OAM string
Update 11/23/2021:
This single rule with a better formed regex seems to work the best:
reqirep ^Cookie:.*?((?:vcloud_session_id|vcloud_jwt)=[^;]*)(?:;.*((?:vcloud_session_id|vcloud_jwt)=[^;]*))? Cookie:\ \1;\ \2
How would you do this with AVI Load Balancer?
Not needed to change the defaults.I use this Avi NSX ALB setup in my lab: https://fojta.wordpress.com/2022/07/12/control-system-admin-access-to-vmware-cloud-director/
For AVI / NSX ALB setup, this datascript can be run on HTTP requests to removing unnecessary cookies:
— HTTP_REQUEST
— get cookies
cookies, count = avi.http.get_cookie_names()
avi.vs.log(“cookies_count_before=” .. count)
— if cookie(s) exists, validate cookie(s) name
if count >= 1 then
for cookie_num= 1, #cookies do
— allow only vcloud_session_id and vcloud_jwt for cookie name
cookie_name = cookies[cookie_num]
if cookie_name == “vcloud_session_id” then
avi.vs.log(“keep_cookie=” .. cookie_name)
elseif cookie_name == “vcloud_jwt” then
avi.vs.log(“keep_cookie=” .. cookie_name)
else
avi.http.remove_cookie(cookie_name)
end
end
end
— get cookies
cookies, count = avi.http.get_cookie_names()
avi.vs.log(“cookies_count_after=” .. count)
Here’s the updated datascript which accounts for cookies that are needed for SSO login:
— HTTP_REQUEST
— get cookies
cookies, count = avi.http.get_cookie_names()
avi.vs.log(“cookies_count_before=” .. count)
— if cookie(s) exists, validate cookie(s) name
if count >= 1 then
for cookie_num= 1, #cookies do
— only keep cookies: vcloud_session_id, vcloud_jwt, sso-preferred, sso_redirect_org, xxxxx.redirectTo and xxxxx.state
cookie_name = cookies[cookie_num]
if cookie_name == “vcloud_session_id” or cookie_name == “vcloud_jwt” or cookie_name == “sso-preferred” or cookie_name == “sso_redirect_org” then
avi.vs.log(“keep_cookie=” .. cookie_name)
elseif string.endswith(cookie_name, “.redirectTo”) or string.endswith(cookie_name, “.state”) then
avi.vs.log(“keep_cookie=” .. cookie_name)
else
— avi.vs.log(“delete_cookie=” .. cookie_name) — not logging this because log gets truncated
avi.http.remove_cookie(cookie_name)
end
end
end
— get cookies
cookies, count = avi.http.get_cookie_names()
avi.vs.log(“cookies_count_after=” .. count)