Firewall constraints for RUM

Real User Monitoring (RUM) uses HTTP technologies to send performance data from your end users' browsers to Dynatrace. To do this, the RUM JavaScript is injected into your application's webpages. This tag or code snippet communicates with Dynatrace. However, you must verify the configuration of your firewalls, proxies, and web servers to allow all required data to pass through.

Requests

For RUM to function fully, the following HTTP requests must be delivered to Dynatrace:

  • ruxitagentjs_ is the RUM JavaScript tag used for auto-injection—the name of the tag may contain additional information, such as active code modules and the version of the tag. Agentless RUM requests use ruxitagent_.
  • /rb_<id> and /bf or /bf_<id> are the monitor signals the RUM JavaScript sends back to Dynatrace.
    • The monitor uses query parameters. For the previous beacon protocol version 2, they are app, flavor, format, referer, session, svrid, type, visitID, size, zip, va, tt, ns, and more. For the new beacon protocol version 3, they are type, svrid, rf, sn, app, dbg, flavor, vi, modifiedSince, bp, contentType, crc, v, end, and more.
    • The POST body contains the payload. The payload is sent with the text/plain content type. For Session Replay, the application/octet-stream content type can also be used.

Headers

RUM uses the following HTTP headers. All of these headers must be able to reach Dynatrace.

Request headers

Header

Purpose

x-dynatrace

Used for transaction stitching in HTTP headers. Set by OneAgent to link web servers. Ensure that network components, such as firewalls and routers, are never configured to remove these headers. Incorrect configuration can potentially lead to broken distributed traces. Some network components disable such requests and throw a 403 HTTP error, which is why it is necessary to configure these components to accept the x-dynatrace header.

x-dynatrace-application

Contains the ID of the RUM application, the cookie domain, and the injection rule (noop, auto, before, or after). Also contains the injection pattern when injectionRule=after or injectionRule=before.

Used in case there's some proxy in between a user's browser and the original process that delivers the page.

x-dynatrace-origin-url

Preserves the original URL of the request in case of URL rewriting.

X-dynaTrace-RequestState

Tracks the depth of a subpath tree to avoid endless distributed traces.

x-dtpc

Identifies proper endpoints for beacon transmission; includes session ID for correlation.

x-dtreferer

Contains the referer of the page for an action and improves the correlation results.

x-dtc

Contains information for correlation of cross-origin XHRs.

Cookie

Sets the dtCookie cookie in case the HTTP request doesn't contain any.

X-Ruxit-Forwarded-For

Used to track proxy scenarios by the NGINX code module.

X-ruxit-Apache-ServerNamePorts

Used by the Apache code module to synchronize service naming with the PHP code module.

X-ruxit-Disposition

Used by the IIS code module to declutter .NET code module subpaths.

Accept-Encoding

Discarded by the Apache code module during the fine-tuning of HTML injection behavior.

Content-Encoding

Discarded during the fine-tuning of HTML injection behavior.

If-None-Match

Discarded when caching is suppressed.

If-Not-Modified-Since

Discarded when caching is suppressed.

If-Match

Modified when caching is suppressed.

If-Range

Modified when caching is suppressed.

traceparent

Used for W3C tagging.

tracestate

Used for W3C tagging.

referer

Contains the address of the previous web page from which a link to the currently requested page was followed.

user-agent

x-host

Contains the host information on non-http(s) domains.

Response headers

Header

Purpose

X-OneAgent-JS-Injection

Confirms that the RUM JavaScript has been injected to avoid duplicate injection.

Has one of the following values:

  • true: the injection has been completed.
  • block: the injection must not be attempted at this time.

X-ruxit-JS-Agent

Confirms that the RUM JavaScript has been injected to avoid duplicate injection.

Has one of the following values:

  • true: the injection has been completed.
  • block: the injection must not be attempted at this time.

x-dtHealthCheck

Contains the results of the RUM JavaScript injection diagnostics performed by Dynatrace Support.

x-dtAgentId

If the RUM health check is enabled, any involved OneAgent code module adds its ID here. Set for responses to special requests.

x-dtInjectedServlet

Contains the fully qualified name of the injected servlet or filter.

Set-Cookie

Sets the session state cookie of OneAgent.

ETag

OneAgent appends a custom string to the original ETag response header to track the changes in the application configuration.

Last-modified

If the ETag response header is manipulated, OneAgent also subtracts 1 second from the original value of this header. Set for responses to special requests.

Content-Length

Adapted upon HTML injection. Set for responses to special requests.

Vary

Adapted during HTML injection into compressed responses. Set for responses to special requests.

Content-Encoding

Adapted during HTML injection into compressed responses.

Content-Type

Set for responses to special requests.

Access-Control-Allow-Origin

Set for responses to special requests.

Cache-Control

Set for responses to special requests.

Server-Timing

Used to transport information that is relevant for RUM correlation.

Timing-Allow-Origin

Allows the RUM JavaScript to access the information that is relevant for RUM correlation in case of cross-origin requests.

Access-Control-Allow-Headers

Set for responses to special requests.

Access-Control-Allow-Methods

Set for responses to special requests.

Access-Control-Max-Age

Set for responses to special requests.

Cookies

RUM uses the following cookies. All of these must be able to reach Dynatrace. See Cookies for more information on how Dynatrace uses cookies.

Cookie

Max size

Purpose

dtCookie<cookie_suffix>1

No set limitation, but usually less than 100 B

Tracks a visit across multiple requests.

dtLatC<cookie_suffix>1

5 B

Measures server latency for performance monitoring.

dtPC<cookie_suffix>1

58 B

Identifies proper endpoints for beacon transmission; includes session ID for correlation.

dtSa

Max URL length

Serves as an intermediate store for page-spanning actions.

dtValidationCookie

Length of dTValidationCookieValue string, that is 23

Determines the top-level domain.

dtDisabled

4 B

Determines if the RUM JavaScript should be deactivated due to cost and traffic control or overload prevention.

rxVisitor<cookie_suffix>1

45 B

Contains the visitor ID to correlate sessions.

rxvt

27 B

Includes the timestamp of the session timeout.

1

The <cookie_suffix> is added to the cookie name only for the environments created in Dynatrace version 1.294+. To retrieve the full cookie name, refer to RUM cookie names API - GET cookie names.

Mobile RUM

OneAgent for Mobile uses the x-dynatrace header for tagging HTTP requests. Dynatrace uses this header to link the mobile part of the web request to the service part captured by another OneAgent.

For hybrid applications, the dtAdk cookie allows to join a session from OneAgent for Mobile and a session from the RUM JavaScript so that these sessions appear as a single session, while the dtAdkSettings cookie is used for syncing settings between OneAgent for Mobile and the RUM JavaScript.

/mbeacon is the monitor signal that OneAgent for Mobile sends back to Dynatrace if the data is transferred through ActiveGate. If the data is sent to another OneAgent, the monitor signal is /dtmb.