Environment
NetIQ Access Manager 4.1 and 4.0
NetIQ Access Gateway (Linux and Windows)
Situation
By default, the Apache proxy adds the X-Forwarded-Host header. Per the mod_proxy specs "X-Forwarded-Host: The original host requested by the client in the Host HTTP request header" If I have an internal Web server who's host name is nam14.nam14.net, but the published DNS name of the proxy that the browser hits is nam41sba.lab.novell.com, one would expect the X-Forwarded-Host to be nam41sba.lab.novell.com. With NAM 4.0 and 4.1, the X-Forwarded-Host header is always set to be the same as the Host header going to proxied web server, and never the browser Host HTTP header into the AG. Here's an example using the above host names. Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:creq [149.44.166.49:52607->147.2.35.57:443] GET /msoft/ Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:creq Accept: text/html, application/xhtml+xml, */* Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:creq X-HttpWatch-RID: 92066-10032 Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:creq Accept-Language: en-US Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:creq User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:creq Accept-Encoding: gzip, deflate Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:creq Host: nam41sba.lab.novell.com Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:creq Connection: Keep-Alive Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:creq Cache-Control: no-cache Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:creq Cookie: ZNPCQ003-32343500=a1b14cc2; __utma=64554544.1740367655.1419011835.1419011 835.1420713262.2; __utmv=64554544.employee; novell_language=en-us; novell_country=IE|Ie; _ga=GA1.2.1962491083.1429809181 Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:to-ws [147.2.35.57:43732->151.155.132.203:443] GET / HTTP/1.1 Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:to-ws Host: nam14.nam14.net Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:to-ws Accept: text/html, application/xhtml+xml, */* Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:to-ws X-HttpWatch-RID: 92066-10032 Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:to-ws Accept-Language: en-US Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:to-ws User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:to-ws Accept-Encoding: gzip Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:to-ws Cache-Control: no-cache Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:to-ws Cookie: __utma=64554544.1740367655.1419011835.1419011835.1420713262.2; __utmv=6 4554544.employee; novell_language=en-us; novell_country=IE|Ie; _ga=GA1.2.1962491083.1429809181 Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:to-ws Via: 1.1 nam41sba.lab.novell.com (Access Gateway-ag-F56A35AAEC96A36D-1) Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:to-ws X-Forwarded-For: 149.44.166.49 Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:to-ws X-Forwarded-Host: nam14.nam14.net Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:to-ws X-Forwarded-Server: nam41sba.lab.novell.com
Resolution
Fixed in NAM 4.2. The X-Forwarded-Host header now includes the Published DNS name of the proxy as it's value, and not the Web server hostname.