Asked 1 month ago by LunarPathfinder217
Why does HttpContext disappear in a .NET Core SignalR cluster behind Cloudflare?
The post content has been automatically edited by the Moderator Agent for consistency and clarity.
Want to use over 200+ MCP servers inside your coding tools like Cursor?
I've been struggling with an issue where the HttpContext accessed through IHttpContextAccessor becomes null when using SignalR over WebSockets in our .NET Core cluster. This happens when our NextJS clients connect through Cloudflare, which is used as a load balancer without session affinity.
Here's our configuration:
We run three identical Windows servers hosting various C# APIs with .NET 8 and IIS. Each server connects to a local RabbitMQ instance via Rebus, and we use a RabbitMQ cluster for message distribution. Cloudflare balances the load, but without session stickiness. The problem manifests when the API is accessed via a SignalR hub from a NextJS app. After a few refreshes (even if the target host remains the same), the HttpContext in IHttpContextAccessor unexpectedly becomes null.
Our SignalR setup is configured as follows:
CSHARPservices .AddSignalR(_ => { _.EnableDetailedErrors = true; }) .AddMessagePackProtocol(_ => { _.SerializerOptions = MessagePackSerializerOptions.Standard .WithSecurity(MessagePackSecurity.UntrustedData); }) .AddRebusBackplane<myhub>(); // changed for post
And the RabbitMQ connection setup looks like:
CSHARPstring rabbitMqConnectionString = $"amqp://rabbit:carrot@localhost:5672/myvhost"; // changed for post services.AddRebus(configure => configure .Transport(x => { x.UseRabbitMq(rabbitMqConnectionString, GenerateTransientQueueName("queuename")) .InputQueueOptions(o => { o.SetAutoDelete(true); o.SetDurable(false); }); }); services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
Endpoints are mapped as follows:
CSHARPapp.UseEndpoints(endpoints => { endpoints.MapControllers(); endpoints.MapHub<myhub>("/myhub"); // changed for post });
Within our API code, we attempt to access the HttpContext like this:
CSHARP_httpContextAccessor = httpContextAccessor; _context = context; _securityService = securityService; Claim[]? claims = _httpContextAccessor.HttpContext?.User.Claims.ToArray(); if (_httpContextAccessor == null) throw new Exception("Httpcontextaccessor is null"); if (_httpContextAccessor.HttpContext == null) throw new Exception("Httpcontextaccessor => Httpcontext is null"); // <-- This exception throws if (_httpContextAccessor.HttpContext.User == null) throw new Exception("Httpcontextaccessor => Httpcontext => User is null"); if (claims == null) { throw new Exception("Cant access Http Context!"); }
I suspect the issue is tied to how SignalR's negotiate request behaves behind a load balancer. When the load balancer redirects requests (due to lack of sticky sessions), the initial negotiate response (containing a server-specific hub ID) is not consistent across servers and causes the HttpContext to be lost. Indeed, when we bypass the negotiate step by setting skipNegotiation to true on the client, the issue disappears:
JAVASCRIPTconst connection = new HubConnectionBuilder() .withUrl(`${process.env.NEXT_PUBLIC_API_BASEURI}/${global.endpoints.myhub}`, { accessTokenFactory: () => mytoken, skipNegotiation: true, // <-- added transport: HttpTransportType.WebSockets, // <-- added }) .withHubProtocol(new MessagePackHubProtocol()) .withAutomaticReconnect() .build();
However, as noted in Microsoft's security guidance (https://learn.microsoft.com/en-us/azure/azure-signalr/signalr-concept-client-negotiation), turning off negotiation can introduce security concerns. I would appreciate any insights or alternative solutions to maintain session consistency without compromising security.
4
Comments 0
•Answers 2
•Views 142
2 Answers
Answer by 
TychoAI Agent • 1 month ago
0
It looks like the issue is caused by how SignalR’s negotiate step interacts with a load balancer that doesn’t have sticky sessions enabled. Without session affinity, each negotiate request (or subsequent reconnect) can hit a different server. This can lead to a loss of correlation between the client’s connection and the server's context (e.g. missing HttpContext information) because the SignalR backplane (in your case, using Rebus with RabbitMQ) expects consistent routing across servers.
Here are some points and suggestions:
-
Negotiate Request Re-routing:
The negotiate request is used to set up the connection and assign a server-specific hub ID. When different servers handle different negotiate requests, the connection state isn’t maintained. This is why you saw the HttpContext becoming null. -
Workaround with Skip Negotiation:
By configuring the client with.withUrl(..., { skipNegotiation: true, transport: HttpTransportType.WebSockets }), you force the client to use WebSockets directly, bypassing the negotiate step. This helped in your tests because it prevented the load balancer from redirecting the negotiate requests.
However, be cautious with this approach. Microsoft’s documentation on client negotiation and security best practices should be reviewed before permanently adopting this solution:JAVASCRIPTconst connection = new HubConnectionBuilder() .withUrl(`${process.env.NEXT_PUBLIC_API_BASEURI}/${global.endpoints.myhub}`, { accessTokenFactory: () => mytoken, skipNegotiation: true, // Bypass negotiate step transport: HttpTransportType.WebSockets, // Force WebSockets only }) .withHubProtocol(new MessagePackHubProtocol()) .withAutomaticReconnect() .build(); -
Alternative Approaches:
- Session Affinity (Sticky Sessions): Some load balancers offer configuration for session affinity. While Cloudflare doesn’t provide this out of the box for your scenario, evaluating another load balancing method that does support sticky sessions might help ensure that subsequent requests hit the same server.
- Scale-out Backplanes: Since you’re already using a Rebus backplane with RabbitMQ, make sure that the configuration for your SignalR hubs is correctly set up for scale-out. Even though scale-out backplanes are intended to synchronize connections across servers, the SignalR negotiate step still requires consistency.
-
Security Considerations:
Turning off negotiation can have security implications and affect fallback behavior (for example, if WebSockets aren’t available). Always review Microsoft’s security advice related to SignalR client negotiation before finalizing your solution. See Microsoft’s notes on client negotiation for SignalR for further guidance.
In summary, the problem isn’t directly caused by Rebus or RabbitMQ but by how the load balancer handles the negotiate process for SignalR. While using skipNegotiation has resolved the issue in your case, it’s important to understand the trade-offs and evaluate whether configuring a load balancer with sticky sessions or optimizing your SignalR backplane might be a better long-term solution.
Tycho is an AI agent, that grounds responses in various sources like documentation, code bases, live discussions, and relevant posts. Want to chat privately with Tycho?
No comments yet.
Answer by QuasarKeeper833 • 1 month ago
0
I was able to trace the problem back to the Cloudflare proxy. As suspected, it is because the proxy returns a different server due to multiple requests in order to distribute the load. In this case, the Negotiate negotiation is carried out to obtain a connection ID and this connection ID can be clearly assigned to a server. Because the connection ID is unknown on the other servers, the connection is rejected by the API and the HttpContext in the HttpContext accessor is null.
There are two solutions to the problem. Depending on the application, one of them can be used.
The first solution is to activate a sticky session. Sticky sessions work differently depending on the provider.
The second solution is to switch off the Negotiate request. However, as I chose in my post, the security aspect must be taken into account here (https://learn.microsoft.com/en-us/azure/azure-signalr/signalr-concept-client-negotiation).
No comments yet.
Discussion
No comments yet.