Environment
Access Manager 4.3
Access Manager 4.2
Situation
Access Manager 4.3 SP1 Access Gateway setup to reverse a number of Web Applications. With one such application, there are operations performed on the Referer HTTP header, but with 4.3.1 the application is failing and a number of broken links were displayed. This typically is the symptom associated with rewriter issues. Looking at client side HTTP headers, it was noticed that the "Referer" HTTP header doesn't get rewritten correctly if a query string parameter is passed along the Referer header.
The issue is easily duplicated:
1. Create a path-based proxy service with a path of /enews (along with a public protected resource for /*), pointing to a backend webserver.
2. Create a 2nd path-based proxy service with a path of /secureredirect (along with a public protected resource for /*), pointing to the same http target website. In the configuration of this proxy service, "remove path" must be selected.
3. Using Firefox, install "Modify Headers" plugin.
4. Within the "Modify Headers" plugin in FF, add a header called "Referer" with a value of https://sbs43sp1.ml.com/secureredirect/enews/
5. Open a browser and try to access https://sbs43sp1.ml.com/secureredirect/enews . In this case, the "Referer" header is sent along and it gets rewritten correctly
6.Now, modify the header in the "Modify headers" plugin to have the value "https://sbs43sp1.ml.com/secureredirect/enews?Mod=S
7. Open a browser and try to access https://sbs43sp1.ml.com/secureredirect/enews?Mod=S . In this case, the "Referer" header remains the same
If the protected resource (web server) is using a non-standard port (like 8080,8443,8000 etc) the behavior is slightly different and the the rewriter will just remove the port. The httpheaders file on the AG shows the following:
May 15 11:29:15 nam43 httpd[7357]: ID:554:1500:creq [149.44.104.120:49810->149.44.105.130:8000] GET /secureredirect/enews/
May 15 11:29:15 nam43 httpd[7357]: ID:554:1500:creq Referer: http://www.fal.com:8000/secureredirect/enews/index.html
May 15 11:29:15 nam43 httpd[7357]: ID:554:1500:to-ws [149.44.105.130:41232->149.44.104.120:8000] GET /enews/ HTTP/1.1
May 15 11:29:15 nam43 httpd[7357]: ID:554:1500:to-ws Referer: http://www.fal.com/secureredirect/enews/index.html
May 15 11:29:15 nam43 httpd[7357]: ID:554:1500:creq Referer: http://www.fal.com:8000/secureredirect/enews/index.html
May 15 11:29:15 nam43 httpd[7357]: ID:554:1500:to-ws [149.44.105.130:41232->149.44.104.120:8000] GET /enews/ HTTP/1.1
May 15 11:29:15 nam43 httpd[7357]: ID:554:1500:to-ws Referer: http://www.fal.com/secureredirect/enews/index.html
Resolution
Apply NAM 4.3 SP3 or upgrade to 4.4. The rewriting of referer header was not taking place due to presence of = sign.
Note that the rewriting issue is fixed for the following HTTP headers "If","Call-Back","Notification-Type", "Destination" along with Referer header