Environment
NetIQ Access Manager 3.2
Situation
When alternate host name is configured the Access Gateway Service (AGS/MAG) was corrupting the referrer value sent to the web server.
This became a problem because the customer was using a custom authentication method which relied on a proper referrer name to grant access to the web server.. Since the hostname was blank, the end user was getting redirected to an error page defined at the web server. There could be other symptoms depending on how the referrer is being used, but the problem is in the /opt/novell/ag/t/opt/novell/ag/lib/mod_novell_ag.so.1.0.0 library included with NAM version 3.2 and 3.2_ir1.
Resolution
The issue has been reported to engineering and the issue is fixed in 3.2 support pack 1. If you are experiencing the issue and version 3.2 support pack 1 is not yet available (not available at the time this tid was authored), please contact Novell Technical Services to obtain the fixed library until sp1 becomes available.
Cause
The Access Gateway Service (AGS/MAG) was nullifying the value in memory that contained the alternate host name when passing referrer header to the Web Server.
Example:
https://portal.acme.com/home/Home.aspx
[Fri Sep 07 08:38:18 2012] [debug] mod_deflate.c(615): AMEVENTID#1012: Zlib:
Compressed 139 to 118 : URL /Services/Brokerage.aspx, referer:
Notice the hostname is not present after referrer, e.g. http://*/
The problem is present in both 3.2 and 3.2ir1.
See additional information below for notes on configuration and duplications steps used to identify and fix the issue.
Additional Information
Configuration/Duplication
a) Configured alternate host name (proxy91.com). The published DNS name is
www.ag1.com.
b) Enabled Rewrite Inbound Headers (rewriteRefererHeader) option under HTML
Rewriter
c) Issued the first request to http://www.ag1.com:81/scott
d) Then issued the request to http://www.ag1.com:81/scott/stuff
e) Verified the referrer header sent from MAG to web server was nullified.
1. The referrer header was http://www.proxy91.com/scott
2. Then issued another request to http://www.ag1.com:81/scott/stuff
3. The referrer header was http://scott/stuff/
Applied fixed build of mod_novell_ag.so.1.0.0 and restarted novell-apache2performed same test.
Now at step 3.e) the correct referrer id of http://www.ag1.com:81/scott/stuff is observed.