Rewriter incorrectly rewriting HTML URLs and appending paths from path based multihomed proxies (with strip path enabled) that should not be rewritten

  • 7022312
  • 13-Nov-2017
  • 13-Nov-2017

Environment

Access Manager 4.2
Access Manager 4.3
Access Manager 4.4

Situation

Customer setup with 100s of path based multihomed proxy servers enabled, some of which have the "remove path on fill" flag enabled too. When accessing applications that returns references to the published DNS name of the proxy, links are rewritten incorrectly whereby paths from other proxy servers are injected into the URL links returned to the browser from the AG. 
Consider the Access Gateway configuration below:
Parent proxy : www.rewriterparent.com    
Child 1         : /resource (Strip path not enabled)
Child 2          : /global (Strip path enabled)
Child 3          : /imdk (Strip path not enabled)
To keep it simple, let’s assume that proxy services have same the backend as [147.2.87.73:803].
Assume the published DNS name [AG-Port] for the proxy has a TCP port of "2222" with its scheme [AG-Scheme] set to http.
The html file being accessed by the users via the AG under "/resource" has hyperlinks to be  
http://www.rewriterparent.com:2222/imdk/test.html
http://www.rewriterparent.com:2222/random/test.html


By default the following happens if published URL references are returned from the Web server to the AG

1) It will try to match "scheme+domain+port" of hyperlink with "[AG-scheme] + domain + [AG-port]" in available proxy services.
        a) Among the entries matching if we are able to find exact path match, then no rewriting(addition of path) happens.
       
b) If we are not able to find exact path match, then path with "remove path on fill" enabled, if any, will be appended.
2) If "scheme+domain+port" of hyperlink with "[AG-scheme] + domain + [AG-port]" in available proxy services does not matches, no rewritinghappens.

 After rewriting through AG, it becomes
 http://www.rewriterparent.com:2222/imdk/test.html  --> due to 1)a)
http://www.rewriterparent.com:2222/global/random/test.html
  --> due to 1)b)
The /global path is added when users do not expect URL to be rewritten with /global path added.

Resolution

Go to Access Gateway configuration and enable the "NAGDisableExternalRewrite" to avoid any addition of paths to url returned by Web server that reference the Proxy service published DNS name.

Cause

So the main reason for the above problem is the addition of key entry for published dns name(with client port and scheme) into the hash table. 
Due to some reasons it has been added in NAM 3.2 but based on an advanced option "NAGDisableExternalRewrite". 

Feedback service temporarily unavailable. For content questions or problems, please contact Support.