DX Infrastructure Manager

Expand all | Collapse all

Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

  • 1.  Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

    Posted 10-06-2020 07:49 AM
    HI,

    After upgrading to 20.3 I have been experiencing a number issues.
    The current issue is that when attempting to connect to the OC/UMP I receive the following errors in the reverse proxy
    AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

    I have been battling with this since yesterday and noticed that Broadcom doc has been updated today and contains new information for Expect-CT, link below, and I am hoping this is something that can help, but there is no context in the Broadcom instructions. It doesnt actually state why the steps are required.

    Configure HTTPS in Admin Console or UMP

    The issue is, this is not very clear and may not be accurately written.

    Steps for OC and adding Expect-CT.
    By default Expect-CT is set to "enforce, max-age=300", to change the values or adding report-uri in the Operator Console.
    Follow these steps:
    1. Open wasp.cfg file in any file editor ~\Nimsoft\probes\service\wasp
    2. Go to <operatorconsole_portlet> ,<uncrypted> tag
    3. Add/Edit configuration attributes in Except-CT-Header property as below Except-CT-Header = enforce, max-age=300
    4. Restart the wasp
    Questions are:
    What should this be set to ? is it "enforce"
    Where should this be set ? Step 2 refers to <operatorconsole_portlet> ,<uncrypted> in the wasp.cfg, but in my wasp, the path is <operatorconsole_portlet>, <custom> ,<uncrypted> .. which one is correct ?

    I have added "Except-CT-Header = enforce, max-age=300, report-uri='https://<public facing url>" to the <operatorconsole_portlet>, <custom> ,<uncrypted> as well as creating <operatorconsole_portlet>, <custom> ,<uncrypted> section, which I manually created, to match the Broadcom doc.

    The same applies to the Adminconsole.
    Step 2 states. Go to <adminconsoleapp>, is this correct ? as the path in wasp.cfg again, is <custom> , <uncrypted>

    The current web proxy has been in place for a number of years, with no issues, until 20.3 upgrade.

    Thanks


  • 2.  RE: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

    Posted 10-06-2020 09:58 AM
    Also, more importantly. The Broadcom document instructs users to use "Except-CT-Header property" but the term is Expect-CT.

    Is it possible for someone to review the Broadcom document please?
    Except vs Expect


  • 3.  RE: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

    Posted 10-08-2020 10:32 AM
    Edited by Nick Barlow 10-08-2020 10:32 AM
    I managed to work this out.

    If anyone else gets errors via a reverse proxy.
    The line filter ResponseHeaderFilter in web.xml is the culprit. I just delete the filter and filter mapping entries for the problem webapp.

    Example:

    <filter>
    <filter-name>ResponseHeaderFilter</filter-name>
    <filter-class>com.firehunter.adminconsole.config.ResponseHeaderFilter</filter-class>

    </filter>
    <filter-mapping>
    <filter-name>ResponseHeaderFilter</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>


  • 4.  RE: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

    Posted 12-04-2020 08:24 AM
    Hello Nick!

    Thank you so much for posting the solution here, you just saved my day!

    I just followed your last instructions and commented out the following lines on the web.xml located in \Nimsoft\probes\service\wasp\webapps\operatorconsole_portlet\WEB-INF

    <!--
    <filter>
    <filter-name>ResponseHeaderFilter</filter-name>
    <filter-class>com.firehunter.operatorconsole.config.ResponseHeaderFilter</filter-class>
    </filter>
    <filter-mapping>
    <filter-name>ResponseHeaderFilter</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>
    -->

    Broadcom please create a KB to document this issue!

    Regards,
    Danilo Melo



  • 5.  RE: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

    Posted 12-14-2020 03:46 AM
    Good news :)


  • 6.  RE: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

    Posted 12-15-2020 10:02 AM
    Hi Danilo,

    Do you have issues with getting the admin console to load through the webproxy ? It seems to always try to go via private, rather then apj proxy setting.

    Thanks



  • 7.  RE: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

    Posted 12-15-2020 10:19 AM
    Hi Nick! Good afternoon!

    When I click to open Admin Console from the Operator console, it redirects to my internal server, so indeed the redirect doesnt work. Im afraid I cant help much with that. I only need the OC and CABI webpages available on the internet, since the customer doesnt need to access the Admin Console.

    Maybe it has to be configured separately in the proxy the same way you do for CABI to work within the Operator Console web link.

    Regards


  • 8.  RE: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

    Posted 12-15-2020 10:25 AM
    Yea. I noticed after the previous question, others have asked the same thing.