Environment
Access Gateway Appliance accelerating back end applications
Back end application using AJAX calls
Situation
Customer has an application that is split between different
servers in the same domain e.g. app1.acme.com, app2.acme.com. For the most part, access to the Application works fine after the user has authenticated.
One piece of functionality that is problematic seems to be related to AJAX. The requests are apparently from the "Access Control for Cross-Site Requests" draft spec - http://www.w3.org/TR/2008/WD-access-control-20080912.
From analysis of the client HTTP headers, it was noted that the request did NOT include the NAM session
cookie (option to make the protected resource public if needed exists). The real
problem is that the AG appears NOT to respond to the request.
Using Firefox and a header capture tool, the request looks like:
-------------------------
(Request-Line) OPTIONS
/Services/Client/User/TabsClient.svc/CreateCustomUserTab HTTP/1.1
Host qa-services.acme.net
User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64;
rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language en-gb,en;q=0.5
Accept-Encoding gzip, deflate
Connection keep-alive
Origin http://qa-standard.acme.net
Access-Control-Request-Method
POST
Access-Control-Request-Headers
content-type
Pragma no-cache
Cache-Control no-cache
-------------------------------
Resolution
Depending on the browser type, the following two solutions exist:
- With Firefox, the client
component that issues the AJAX request does not share session cookies and so it
can't work through NAM unless the resource is turned into a public
URL access ie. no authentication
- Again, with Firefox, the
client component does not like the internal cert that was being sent by the Access Gateway -
once the cert was imported into the Firefox trusted root list, it was then able to
propagate the request
- With IE, the OPTIONS command doesn't get used when invoking the functionality but it ONLY works if the target site is in the Intranet zone.
Additional Information
A quick test to verify that the Access Gateway Appliance (AGA) can handle this type of request can be done with curl. Running the following curl command on one host and pointing it to the AGA public
resource confirms that the AGA supports the OPTIONS method
# curl -k -v -X OPTIONS https://nam32app-vm.lab.novell.com/formfill.php
Looking at the error_log (when enabled in debug mode) shows the request gets sent to the Web server
[Tue Aug 07 16:59:42
2012] [info] AM#504600000
AMDEVICEID#ag-45B6586EB94FC2A7: AMAUTHID#: AMEVENTID#32071: Requ: OPTIONS https://neilag32app-vm.lab.novell.com/formfill.php
service:nam32vm-pxy-srvc (147.2.16.135:35268->147.2.34.116:443)
[Tue Aug
07 16:59:42 2012] [info] AM#504600100
AMDEVICEID#ag-45B6586EB94FC2A7: AMAUTHID#: AMEVENTID#32071: Public URL
[Tue
Aug 07 16:59:42 2012] [info] AM#504600000
AMDEVICEID#ag-45B6586EB94FC2A7: AMAUTHID#: AMEVENTID#32071: matched
PR:root-pr
[Tue Aug 07 16:59:42 2012] [info] AMEVENTID#32071: Cache
miss
[Tue Aug 07 16:59:42 2012] [debug] mod_proxy_balancer.c(46): proxy:
BALANCER: canonicalising URL //bal_nam32vm-pxy-srvc/formfill.php
[Tue Aug 07
16:59:42 2012] [debug] mod_proxy_balancer.c(280): proxy: BALANCER: Found value
(null) for stickysession ZNPCQ003-31353600
[Tue
Aug 07 16:59:42 2012] [debug] mod_proxy_balancer.c(1020): proxy: Entering
byrequests for BALANCER (balancer://bal_nam32vm-pxy-srvc)
[Tue Aug 07
16:59:42 2012] [debug] mod_proxy_balancer.c(1063): proxy: byrequests selected
worker "http://147.2.16.154" : busy 0 :
lbstatus 1
[Tue Aug 07 16:59:42 2012] [debug] mod_proxy_balancer.c(589):
proxy: BALANCER (balancer://bal_nam32vm-pxy-srvc) worker (http://147.2.16.154) rewritten to http://147.2.16.154/formfill.php
[Tue Aug 07
16:59:42 2012] [debug] mod_proxy.c(1024): Running scheme balancer handler
(attempt 0)
[Tue Aug 07 16:59:42 2012] [info] AM#504600000 AMDEVICEID#ag-45B6586EB94FC2A7: AMAUTHID#:
AMEVENTID#32071: balancer cookie is ZNPCQ003-31353600=a1b14cc2; Path=/;
Domain
=.lab.novell.com
[Tue Aug 07 16:59:42 2012] [debug]
mod_proxy_http.c(2109): proxy: HTTP: serving URL http://147.2.16.154/formfill.php
[Tue
Aug 07 16:59:42 2012] [debug] proxy_util.c(2024): proxy: HTTP: has acquired
connection for (147.2.16.154)
[Tue Aug 07 16:59:42 2012] [debug]
proxy_util.c(2080): proxy: connecting http://147.2.16.154/formfill.php to
147.2.16.154:80
[Tue Aug 07 16:59:42 2012] [debug] proxy_util.c(2206): proxy:
connected /formfill.php to 147.2.16.154:80
[Tue Aug 07 16:59:42 2012] [info]
proxy: HTTP: fam 2 socket created to connect to 147.2.16.154
[Tue Aug 07
16:59:42 2012] [info] proxy: HTTP: connection complete to 147.2.16.154:80
(147.2.16.154)
[Tue Aug 07 16:59:42 2012] [info] AMEVENTID#32071: connected
from 147.2.34.116:48319 to 147.2.16.154:80
[Tue Aug 07 16:59:42 2012] [info]
AMEVENTID#32071: sending request to webserver
[Tue Aug 07 16:59:42 2012]
[info] AMEVENTID#32071: received response from server
[Tue Aug 07 16:59:42
2012] [info] AMEVENTID#32071: received status 404 from server
[Tue Aug 07
16:59:42 2012] [debug] mod_proxy_http.c(1875): proxy: start body send
[Tue
Aug 07 16:59:42 2012] [debug] mod_proxy_http.c(1979): proxy: end body
send
[Tue Aug 07 16:59:42 2012] [debug] proxy_util.c(2042): proxy: HTTP: has
released connection for (147.2.16.154)
[Tue Aug 07 16:59:42 2012] [debug]
mod_proxy_balancer.c(630): proxy_balancer_post_request for
(balancer://bal_nam32vm-pxy-srvc)
[Tue Aug 07 16:59:42 2012] [warn] AM#304600001 AMDEVICEID#ag-45B6586EB94FC2A7: AMAUTHID#:
AMEVENTID#32071: status:404 OPTIONS https://neilag32app-vm.lab.novell.com/formfil
l.php
<03000300000000000000000000000000ca59cdc4> X-Mag:
<45B6586EB94FC2A7;ca59cdc4;32071;usrLkup->0;makeuser;root-pr;publicURL->0;nam32vm-pxy-srvc;default;SH;FP2->1;WS=
a1b14cc2;default;FP4->35;>
[147.2.16.135:35268->147.2.34.116:443]service:nam32vm-pxy-srvc (96:0)
-
The HTTP headers look like the following, so all good.
mag32app-vm httpd:
Sending to webserver for ID:32071:96: OPTIONS /formfill.php HTTP/1.1
Aug 7
16:59:42 mag32app-vm httpd: Sending to webserver for ID:32071:96: Host:
ncsles10.lab.novell.com
Aug 7 16:59:42 mag32app-vm httpd: Sending to
webserver for ID:32071:96: User-Agent: curl/7.19.0 (x86_64-suse-linux-gnu)
libcurl/7.19.0 OpenSSL/0.9.8h zlib/1.2.3 libidn
/1.10
Aug 7 16:59:42
mag32app-vm httpd: Sending to webserver for ID:32071:96: Accept: */*
Aug 7
16:59:42 mag32app-vm httpd: Sending to webserver for ID:32071:96: Via: 1.1
neilag32app-vm.lab.novell.com (Access Gateway-ag-45B6586EB94FC2A7-32071)
Aug 7
16:59:42 mag32app-vm httpd: Sending to webserver for ID:32071:96:
X-Forwarded-For: 147.2.16.135
Aug 7 16:59:42 mag32app-vm httpd: Sending to
webserver for ID:32071:96: X-Forwarded-Host: ncsles10.lab.novell.com
Aug 7
16:59:42 mag32app-vm httpd: Sending to webserver for ID:32071:96:
X-Forwarded-Server: neilag32app-vm.lab.novell.com
Aug 7 16:59:42 mag32app-vm
httpd: Sending to webserver for ID:32071:96: Connection: Keep-Alive
Aug 7
16:59:42 mag32app-vm httpd: received from webserver for ID:32071:96:Date: Tue,
07 Aug 2012 15:12:52 GMT
Aug 7 16:59:42 mag32app-vm httpd: received from
webserver for ID:32071:96:Server: Apache/2.2.3 (Linux/SUSE)
Aug 7 16:59:42
mag32app-vm httpd: received from webserver for ID:32071:96:Vary:
accept-language,accept-charset
Aug 7 16:59:42 mag32app-vm httpd: received
from webserver for ID:32071:96:Accept-Ranges: bytes
Aug 7 16:59:42
mag32app-vm httpd: received from webserver for ID:32071:96:Keep-Alive:
timeout=15, max=100
Aug 7 16:59:42 mag32app-vm httpd: received from
webserver for ID:32071:96:Connection: Keep-Alive
Aug 7 16:59:42 mag32app-vm
httpd: received from webserver for ID:32071:96:Transfer-Encoding:
chunked
Aug 7 16:59:42 mag32app-vm httpd: received from webserver for
ID:32071:96:Content-Type: text/html; charset=iso-8859-1
Aug 7 16:59:42
mag32app-vm httpd: received from webserver for ID:32071:96:Content-Language:
en