Apache X-Forwarded-Host includes incorrect value when forwarded by AG

  • 7016984
  • 13-Nov-2015
  • 02-Dec-2015

Environment


NetIQ Access Manager 4.1 and 4.0
NetIQ Access Gateway (Linux and Windows)

Situation

By default, the Apache proxy adds the X-Forwarded-Host header. Per the mod_proxy specs "X-Forwarded-Host: The original host requested by the client in the Host HTTP request header"

If I have an internal Web server who's host name is nam14.nam14.net, but the published DNS name of the proxy that the browser hits is nam41sba.lab.novell.com, one would expect the X-Forwarded-Host to be nam41sba.lab.novell.com.

With NAM 4.0 and 4.1, the X-Forwarded-Host header is always set to be the same as the Host header going to proxied web server, and never the browser Host HTTP header into the AG. Here's an example using the above host names.

Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:creq [149.44.166.49:52607->147.2.35.57:443] GET /msoft/
Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:creq Accept: text/html, application/xhtml+xml, */*
Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:creq X-HttpWatch-RID: 92066-10032
Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:creq Accept-Language: en-US
Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:creq User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:creq Accept-Encoding: gzip, deflate
Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:creq Host: nam41sba.lab.novell.com
Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:creq Connection: Keep-Alive
Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:creq Cache-Control: no-cache
Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:creq Cookie: ZNPCQ003-32343500=a1b14cc2; __utma=64554544.1740367655.1419011835.1419011
835.1420713262.2; __utmv=64554544.employee; novell_language=en-us; novell_country=IE|Ie; _ga=GA1.2.1962491083.1429809181
Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:to-ws [147.2.35.57:43732->151.155.132.203:443] GET / HTTP/1.1
Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:to-ws Host: nam14.nam14.net
Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:to-ws Accept: text/html, application/xhtml+xml, */*
Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:to-ws X-HttpWatch-RID: 92066-10032
Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:to-ws Accept-Language: en-US
Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:to-ws User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:to-ws Accept-Encoding: gzip
Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:to-ws Cache-Control: no-cache
Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:to-ws Cookie:  __utma=64554544.1740367655.1419011835.1419011835.1420713262.2; __utmv=6
4554544.employee; novell_language=en-us; novell_country=IE|Ie; _ga=GA1.2.1962491083.1429809181
Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:to-ws Via: 1.1 nam41sba.lab.novell.com (Access Gateway-ag-F56A35AAEC96A36D-1)
Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:to-ws X-Forwarded-For: 149.44.166.49
Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:to-ws X-Forwarded-Host: nam14.nam14.net
Jul 20 13:12:29 nam41sba httpd[36551]: ID:1:600:to-ws X-Forwarded-Server: nam41sba.lab.novell.com

Resolution

Fixed in NAM 4.2. The X-Forwarded-Host header now includes the Published DNS name of the proxy as it's value, and not the Web server hostname.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.