Antivir-Related Get-Request support

[Vaphen]

Kaspersky Antivir blocks first message of event streams with default settings - Get-Request should be supported
We recently started to incorporate Featurehub into our product and noticed that some of our customers had problems with their antivirus software. I picked Kaspersky as an example, but there are several tickets regarding similar issues with sse and different antivirus software.

Using kaspersky, the first SSE message is always held back until the second message arrives. Only then, both of them are passed to the client. For featurehub, this can take up to ~60 sec. Every website that depends on configuration from featurehub is therefore unusable.

This can be reproduced with activated Kaspersky Internet Security by opening the service's URL (.../features/default/...). For reproduction, you can download a demo version here for free.

Firefox, Chrome, and Safari, as well as simple curl requests, are affected since the antivirus blocks the messages on the network layer.

Because this is a general problem using featurehub on an enduser's browser, an alternative should be offered.
I haven't found any documentation about getting the configuration of featurehub without using an event-stream. If this is already possible, please share a link to the documentation.

Provide a GET-endpoint to fetch the environment configurations
My idea was to provide a simple GET-endpoint that returns a JSON value with the configuration, similar to the features-message. The event-stream can then be used as an additional feature for live updates if needed.

If you have any other ideas, I would be happy to discuss possible alternatives.

Alternatives
Having different anti-virus companies change their inspection strategy seems impossible to me. Therefore, I think a solution must be provided on the side of featurehub.

Additional context
I've tested that Kaspersky blocks (or better: buffers) the first message of all Event-Streams. Depending on the use-case, this may be no big issue but with live configuration, this is a major problem.
For reproduction: this issue only occurs if an external event source is called. If the event source is hosted on your own machine (127.0.0.1), Kaspersky won't intervene.
For windows, the setting causing the issue is the following (sorry, only got a german version). After disabling the checkbox, everything works fine again.

[rvowles]

Fascinating! Yes there is already a GET request capability but the SSE already sends two messages, an ack followed by the actual features.

Thanks for this, I will investigate further!

[rvowles]

Could I also request you check your nginx config for the /features is configured something like this? When putting up our demo site I ran into the same problem as we use http/2 but that buffers the result which is a known issue, so I had to do this:

    # sse-cache is loaded here
    location /features/ {
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_pass http://localhost:8903/features/;
      proxy_http_version 1.1;
      proxy_set_header Connection "";
    }

[rvowles]

If you wish to poll using GETs then in the typescript there is the FeatureHubPollingClient which is in the client-typescript-core artifact (which the SSE one brings in). It takes a constructor of:

constructor(repository: ClientFeatureRepository, host: string, frequency: number,
envIds: Array, options: BrowserOptions|NodejsOptions = {}) {

where frequency is milliseconds.

Docs are here: https://www.npmjs.com/package/featurehub-eventsource-sdk

[rvowles]

One more thing. I had someone with AVG try this with the Demo site and theirs is fine. So go to (say)

https://vaphen.demo.featurehub.io

it will create you a new account with a new feature, go grab the SDK URL it recommends

the in the browser with Kaspersky enabled hit

https://vaphen.demo.featurehub.io/features/SDK-URL

You can change the features and they should flow through into the browser.

If you need to get back into it, username will be vaphen.demo.featurehub.io@mailinator.com, password password123

If you can tell me if this still doesn't work and if not, then I will grab a test Windows VM from Microsoft and Kaspersky and work on figuring out how to solve it.

[Vaphen]

Thanks for your fast response. We're very happy with featurehub so far and really like to continue using it :)

I've added the nginx configuration as described above to our nginx.conf. Unfortunatly, that didn't work. Our featurehub instance is currently running on a gcloud compute instance with previous loadbalancer for SSL termination. I thought that the error may occur somewhere in our cloud configuration. Thus, I ran a docker container with the party server locally and used ngrok to simulate a remote connection to my own machine as connecting directly to localhost doesn't trigger the problem.
Even there, the ack and following features message took ~60 sec until received.

I also tried to connect to the demo SDK but had the same problem. I've appended a screenshot: after 60 seconds the request timed out. Again, after deactivation of Kaspersky the connection was established immediately as should be.

Just as additional information: I'm currently working on a Mac for testing using the Demo version of Kaspersky but the problem was reported on a windows machine. But I think that the underlying problem should be the same as the behavior is the same.

As a first step, we will add a GET-Request to fetch the initial configuration as a fallback while still trying to establish an event-stream connection. This should do for us now but I think the issue is worth further investigation.

If you have further questions or could not reproduce the issue I'm happy provide additional information.

The call to https://vaphen.demo.featurehub.io/features/SDK-URL:

[rvowles]

Thanks so much for the detail in this report Vaphen, the technique of using ngrok to also check whats going on is going to help me diagnose how to resolve this particularly issue. It will be interesting to see which particular tripwire we are running into with Kaspersky.

We will keep this ticket open until we can resolve it if that is ok - I understand you have a workaround but I'd like to make sure all the details are kept here for the future.

[Vaphen]

Thank you rvowles, I really appreciate your support.
I think it's a good idea to keep the ticket open because other users may eventually come across the same problem.

I'm keeping track of this ticket and jump right in if I can provide some useful information or help in other ways :)

[rvowles]

Thanks again Vaphen - we are happy you are using FeatureHub! At some point when you are ready please reach out and let us know what for :-) We are curious! :-)

[rvowles]

https://community.kaspersky.com/kaspersky-corporate-products-27/kaspkersky-disturbs-javascript-server-sent-events-sse-moved-15226

just linking this to see if this person gets a response.

[krunalsperidian]

I was just trying to read demo site features but it's giving 404 error
https://vaphen.demo.featurehub.io/features/default/c3acbed3-a674-400d-80c4-fadf2ae3d8f9/bvBOHZwaol5bh4DTrLhddUbd0OCtUxwgWTofvxpM

https://vaphen.demo.featurehub.io/features/default/c3acbed3-a674-400d-80c4-fadf2ae3d8f9/bvBOHZwaol5bh4DTrLhddUbd0OCtUxwgWTofvxpM

[IrinaSouth]

Hi @krunalsperidian - could you please refresh and check if it works now? Thank you

[rvowles]

We have decided to close this ticket out because there is nothing much we can do about it. We have documented the issues related to SSE in browsers in the documentation for many releases now. We expect people will be able to search through closed tickets if they encounter this issue and it has a lot of rich information in it to help!