DX Unified Infrastructure Management

HI,

After upgrading to 20.3 I have been experiencing a number issues.
The current issue is that when attempting to connect to the OC/UMP I receive the following errors in the reverse proxy
AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

I have been battling with this since yesterday and noticed that Broadcom doc has been updated today and contains new information for Expect-CT, link below, and I am hoping this is something that can help, but there is no context in the Broadcom instructions. It doesnt actually state why the steps are required.

Configure HTTPS in Admin Console or UMP

The issue is, this is not very clear and may not be accurately written.

Steps for OC and adding Expect-CT.
By default Expect-CT is set to "enforce, max-age=300", to change the values or adding report-uri in the Operator Console.
Follow these steps:
1. Open wasp.cfg file in any file editor ~\Nimsoft\probes\service\wasp
2. Go to <operatorconsole_portlet> ,<uncrypted> tag
3. Add/Edit configuration attributes in Except-CT-Header property as below Except-CT-Header = enforce, max-age=300
4. Restart the wasp
Questions are:
What should this be set to ? is it "enforce"
Where should this be set ? Step 2 refers to <operatorconsole_portlet> ,<uncrypted> in the wasp.cfg, but in my wasp, the path is <operatorconsole_portlet>, <custom> ,<uncrypted> .. which one is correct ?

I have added "Except-CT-Header = enforce, max-age=300, report-uri='https://<public facing url>" to the <operatorconsole_portlet>, <custom> ,<uncrypted> as well as creating <operatorconsole_portlet>, <custom> ,<uncrypted> section, which I manually created, to match the Broadcom doc.

The same applies to the Adminconsole.
Step 2 states. Go to <adminconsoleapp>, is this correct ? as the path in wasp.cfg again, is <custom> , <uncrypted>

The current web proxy has been in place for a number of years, with no issues, until 20.3 upgrade.

Thanks

Also, more importantly. The Broadcom document instructs users to use "Except-CT-Header property" but the term is Expect-CT.

Is it possible for someone to review the Broadcom document please?
Except vs Expect
Original Message:
Sent: 10-06-2020 07:49 AM
From: Nick Barlow
Subject: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

HI,

After upgrading to 20.3 I have been experiencing a number issues.
The current issue is that when attempting to connect to the OC/UMP I receive the following errors in the reverse proxy
AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

I have been battling with this since yesterday and noticed that Broadcom doc has been updated today and contains new information for Expect-CT, link below, and I am hoping this is something that can help, but there is no context in the Broadcom instructions. It doesnt actually state why the steps are required.

Configure HTTPS in Admin Console or UMP

The issue is, this is not very clear and may not be accurately written.

Steps for OC and adding Expect-CT.
By default Expect-CT is set to "enforce, max-age=300", to change the values or adding report-uri in the Operator Console.
Follow these steps:
1. Open wasp.cfg file in any file editor ~\Nimsoft\probes\service\wasp
2. Go to <operatorconsole_portlet> ,<uncrypted> tag
3. Add/Edit configuration attributes in Except-CT-Header property as below Except-CT-Header = enforce, max-age=300
4. Restart the wasp
Questions are:
What should this be set to ? is it "enforce"
Where should this be set ? Step 2 refers to <operatorconsole_portlet> ,<uncrypted> in the wasp.cfg, but in my wasp, the path is <operatorconsole_portlet>, <custom> ,<uncrypted> .. which one is correct ?

I have added "Except-CT-Header = enforce, max-age=300, report-uri='https://<public facing url>" to the <operatorconsole_portlet>, <custom> ,<uncrypted> as well as creating <operatorconsole_portlet>, <custom> ,<uncrypted> section, which I manually created, to match the Broadcom doc.

The same applies to the Adminconsole.
Step 2 states. Go to <adminconsoleapp>, is this correct ? as the path in wasp.cfg again, is <custom> , <uncrypted>

The current web proxy has been in place for a number of years, with no issues, until 20.3 upgrade.

Thanks

I managed to work this out.

If anyone else gets errors via a reverse proxy.
The line filter ResponseHeaderFilter in web.xml is the culprit. I just delete the filter and filter mapping entries for the problem webapp.

Example:

<filter>
<filter-name>ResponseHeaderFilter</filter-name>
<filter-class>com.firehunter.adminconsole.config.ResponseHeaderFilter</filter-class>

</filter>
<filter-mapping>
<filter-name>ResponseHeaderFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Original Message:
Sent: 10-06-2020 09:58 AM
From: Nick Barlow
Subject: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

Also, more importantly. The Broadcom document instructs users to use "Except-CT-Header property" but the term is Expect-CT.

Is it possible for someone to review the Broadcom document please?
Except vs Expect
Original Message:
Sent: 10-06-2020 07:49 AM
From: Nick Barlow
Subject: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

HI,

After upgrading to 20.3 I have been experiencing a number issues.
The current issue is that when attempting to connect to the OC/UMP I receive the following errors in the reverse proxy
AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

I have been battling with this since yesterday and noticed that Broadcom doc has been updated today and contains new information for Expect-CT, link below, and I am hoping this is something that can help, but there is no context in the Broadcom instructions. It doesnt actually state why the steps are required.

Configure HTTPS in Admin Console or UMP

The issue is, this is not very clear and may not be accurately written.

Steps for OC and adding Expect-CT.
By default Expect-CT is set to "enforce, max-age=300", to change the values or adding report-uri in the Operator Console.
Follow these steps:
1. Open wasp.cfg file in any file editor ~\Nimsoft\probes\service\wasp
2. Go to <operatorconsole_portlet> ,<uncrypted> tag
3. Add/Edit configuration attributes in Except-CT-Header property as below Except-CT-Header = enforce, max-age=300
4. Restart the wasp
Questions are:
What should this be set to ? is it "enforce"
Where should this be set ? Step 2 refers to <operatorconsole_portlet> ,<uncrypted> in the wasp.cfg, but in my wasp, the path is <operatorconsole_portlet>, <custom> ,<uncrypted> .. which one is correct ?

I have added "Except-CT-Header = enforce, max-age=300, report-uri='https://<public facing url>" to the <operatorconsole_portlet>, <custom> ,<uncrypted> as well as creating <operatorconsole_portlet>, <custom> ,<uncrypted> section, which I manually created, to match the Broadcom doc.

The same applies to the Adminconsole.
Step 2 states. Go to <adminconsoleapp>, is this correct ? as the path in wasp.cfg again, is <custom> , <uncrypted>

The current web proxy has been in place for a number of years, with no issues, until 20.3 upgrade.

Thanks

Hello Nick!

Thank you so much for posting the solution here, you just saved my day!

I just followed your last instructions and commented out the following lines on the web.xml located in \Nimsoft\probes\service\wasp\webapps\operatorconsole_portlet\WEB-INF

<!--
<filter>
<filter-name>ResponseHeaderFilter</filter-name>
<filter-class>com.firehunter.operatorconsole.config.ResponseHeaderFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ResponseHeaderFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
-->

Broadcom please create a KB to document this issue!

Regards,
Danilo Melo

Original Message:
Sent: 10-08-2020 10:31 AM
From: Nick Barlow
Subject: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

I managed to work this out.

If anyone else gets errors via a reverse proxy.
The line filter ResponseHeaderFilter in web.xml is the culprit. I just delete the filter and filter mapping entries for the problem webapp.

Example:

<filter>
<filter-name>ResponseHeaderFilter</filter-name>
<filter-class>com.firehunter.adminconsole.config.ResponseHeaderFilter</filter-class>

</filter>
<filter-mapping>
<filter-name>ResponseHeaderFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Original Message:
Sent: 10-06-2020 09:58 AM
From: Nick Barlow
Subject: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

Also, more importantly. The Broadcom document instructs users to use "Except-CT-Header property" but the term is Expect-CT.

Is it possible for someone to review the Broadcom document please?
Except vs Expect
Original Message:
Sent: 10-06-2020 07:49 AM
From: Nick Barlow
Subject: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

HI,

After upgrading to 20.3 I have been experiencing a number issues.
The current issue is that when attempting to connect to the OC/UMP I receive the following errors in the reverse proxy
AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

I have been battling with this since yesterday and noticed that Broadcom doc has been updated today and contains new information for Expect-CT, link below, and I am hoping this is something that can help, but there is no context in the Broadcom instructions. It doesnt actually state why the steps are required.

Configure HTTPS in Admin Console or UMP

The issue is, this is not very clear and may not be accurately written.

Steps for OC and adding Expect-CT.
By default Expect-CT is set to "enforce, max-age=300", to change the values or adding report-uri in the Operator Console.
Follow these steps:
1. Open wasp.cfg file in any file editor ~\Nimsoft\probes\service\wasp
2. Go to <operatorconsole_portlet> ,<uncrypted> tag
3. Add/Edit configuration attributes in Except-CT-Header property as below Except-CT-Header = enforce, max-age=300
4. Restart the wasp
Questions are:
What should this be set to ? is it "enforce"
Where should this be set ? Step 2 refers to <operatorconsole_portlet> ,<uncrypted> in the wasp.cfg, but in my wasp, the path is <operatorconsole_portlet>, <custom> ,<uncrypted> .. which one is correct ?

I have added "Except-CT-Header = enforce, max-age=300, report-uri='https://<public facing url>" to the <operatorconsole_portlet>, <custom> ,<uncrypted> as well as creating <operatorconsole_portlet>, <custom> ,<uncrypted> section, which I manually created, to match the Broadcom doc.

The same applies to the Adminconsole.
Step 2 states. Go to <adminconsoleapp>, is this correct ? as the path in wasp.cfg again, is <custom> , <uncrypted>

The current web proxy has been in place for a number of years, with no issues, until 20.3 upgrade.

Thanks

Good news :)
Original Message:
Sent: 12-04-2020 08:24 AM
From: Danilo Melo
Subject: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

Hello Nick!

Thank you so much for posting the solution here, you just saved my day!

I just followed your last instructions and commented out the following lines on the web.xml located in \Nimsoft\probes\service\wasp\webapps\operatorconsole_portlet\WEB-INF

<!--
<filter>
<filter-name>ResponseHeaderFilter</filter-name>
<filter-class>com.firehunter.operatorconsole.config.ResponseHeaderFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ResponseHeaderFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
-->

Broadcom please create a KB to document this issue!

Regards,
Danilo Melo

Original Message:
Sent: 10-08-2020 10:31 AM
From: Nick Barlow
Subject: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

I managed to work this out.

If anyone else gets errors via a reverse proxy.
The line filter ResponseHeaderFilter in web.xml is the culprit. I just delete the filter and filter mapping entries for the problem webapp.

Example:

<filter>
<filter-name>ResponseHeaderFilter</filter-name>
<filter-class>com.firehunter.adminconsole.config.ResponseHeaderFilter</filter-class>

</filter>
<filter-mapping>
<filter-name>ResponseHeaderFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Original Message:
Sent: 10-06-2020 09:58 AM
From: Nick Barlow
Subject: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

Also, more importantly. The Broadcom document instructs users to use "Except-CT-Header property" but the term is Expect-CT.

Is it possible for someone to review the Broadcom document please?
Except vs Expect
Original Message:
Sent: 10-06-2020 07:49 AM
From: Nick Barlow
Subject: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

HI,

After upgrading to 20.3 I have been experiencing a number issues.
The current issue is that when attempting to connect to the OC/UMP I receive the following errors in the reverse proxy
AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

I have been battling with this since yesterday and noticed that Broadcom doc has been updated today and contains new information for Expect-CT, link below, and I am hoping this is something that can help, but there is no context in the Broadcom instructions. It doesnt actually state why the steps are required.

Configure HTTPS in Admin Console or UMP

The issue is, this is not very clear and may not be accurately written.

Steps for OC and adding Expect-CT.
By default Expect-CT is set to "enforce, max-age=300", to change the values or adding report-uri in the Operator Console.
Follow these steps:
1. Open wasp.cfg file in any file editor ~\Nimsoft\probes\service\wasp
2. Go to <operatorconsole_portlet> ,<uncrypted> tag
3. Add/Edit configuration attributes in Except-CT-Header property as below Except-CT-Header = enforce, max-age=300
4. Restart the wasp
Questions are:
What should this be set to ? is it "enforce"
Where should this be set ? Step 2 refers to <operatorconsole_portlet> ,<uncrypted> in the wasp.cfg, but in my wasp, the path is <operatorconsole_portlet>, <custom> ,<uncrypted> .. which one is correct ?

I have added "Except-CT-Header = enforce, max-age=300, report-uri='https://<public facing url>" to the <operatorconsole_portlet>, <custom> ,<uncrypted> as well as creating <operatorconsole_portlet>, <custom> ,<uncrypted> section, which I manually created, to match the Broadcom doc.

The same applies to the Adminconsole.
Step 2 states. Go to <adminconsoleapp>, is this correct ? as the path in wasp.cfg again, is <custom> , <uncrypted>

The current web proxy has been in place for a number of years, with no issues, until 20.3 upgrade.

Thanks

Hi Danilo,

Do you have issues with getting the admin console to load through the webproxy ? It seems to always try to go via private, rather then apj proxy setting.

Thanks
Original Message:
Sent: 12-04-2020 08:24 AM
From: Danilo Melo
Subject: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

Hello Nick!

Thank you so much for posting the solution here, you just saved my day!

I just followed your last instructions and commented out the following lines on the web.xml located in \Nimsoft\probes\service\wasp\webapps\operatorconsole_portlet\WEB-INF

<!--
<filter>
<filter-name>ResponseHeaderFilter</filter-name>
<filter-class>com.firehunter.operatorconsole.config.ResponseHeaderFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ResponseHeaderFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
-->

Broadcom please create a KB to document this issue!

Regards,
Danilo Melo

Original Message:
Sent: 10-08-2020 10:31 AM
From: Nick Barlow
Subject: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

I managed to work this out.

If anyone else gets errors via a reverse proxy.
The line filter ResponseHeaderFilter in web.xml is the culprit. I just delete the filter and filter mapping entries for the problem webapp.

Example:

<filter>
<filter-name>ResponseHeaderFilter</filter-name>
<filter-class>com.firehunter.adminconsole.config.ResponseHeaderFilter</filter-class>

</filter>
<filter-mapping>
<filter-name>ResponseHeaderFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Original Message:
Sent: 10-06-2020 09:58 AM
From: Nick Barlow
Subject: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

Also, more importantly. The Broadcom document instructs users to use "Except-CT-Header property" but the term is Expect-CT.

Is it possible for someone to review the Broadcom document please?
Except vs Expect
Original Message:
Sent: 10-06-2020 07:49 AM
From: Nick Barlow
Subject: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

HI,

After upgrading to 20.3 I have been experiencing a number issues.
The current issue is that when attempting to connect to the OC/UMP I receive the following errors in the reverse proxy
AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

I have been battling with this since yesterday and noticed that Broadcom doc has been updated today and contains new information for Expect-CT, link below, and I am hoping this is something that can help, but there is no context in the Broadcom instructions. It doesnt actually state why the steps are required.

Configure HTTPS in Admin Console or UMP

The issue is, this is not very clear and may not be accurately written.

Steps for OC and adding Expect-CT.
By default Expect-CT is set to "enforce, max-age=300", to change the values or adding report-uri in the Operator Console.
Follow these steps:
1. Open wasp.cfg file in any file editor ~\Nimsoft\probes\service\wasp
2. Go to <operatorconsole_portlet> ,<uncrypted> tag
3. Add/Edit configuration attributes in Except-CT-Header property as below Except-CT-Header = enforce, max-age=300
4. Restart the wasp
Questions are:
What should this be set to ? is it "enforce"
Where should this be set ? Step 2 refers to <operatorconsole_portlet> ,<uncrypted> in the wasp.cfg, but in my wasp, the path is <operatorconsole_portlet>, <custom> ,<uncrypted> .. which one is correct ?

I have added "Except-CT-Header = enforce, max-age=300, report-uri='https://<public facing url>" to the <operatorconsole_portlet>, <custom> ,<uncrypted> as well as creating <operatorconsole_portlet>, <custom> ,<uncrypted> section, which I manually created, to match the Broadcom doc.

The same applies to the Adminconsole.
Step 2 states. Go to <adminconsoleapp>, is this correct ? as the path in wasp.cfg again, is <custom> , <uncrypted>

The current web proxy has been in place for a number of years, with no issues, until 20.3 upgrade.

Thanks

Hi Nick! Good afternoon!

When I click to open Admin Console from the Operator console, it redirects to my internal server, so indeed the redirect doesnt work. Im afraid I cant help much with that. I only need the OC and CABI webpages available on the internet, since the customer doesnt need to access the Admin Console.

Maybe it has to be configured separately in the proxy the same way you do for CABI to work within the Operator Console web link.

Regards
Original Message:
Sent: 12-15-2020 10:01 AM
From: Nick Barlow
Subject: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

Hi Danilo,

Do you have issues with getting the admin console to load through the webproxy ? It seems to always try to go via private, rather then apj proxy setting.

Thanks
Original Message:
Sent: 12-04-2020 08:24 AM
From: Danilo Melo
Subject: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

Hello Nick!

Thank you so much for posting the solution here, you just saved my day!

I just followed your last instructions and commented out the following lines on the web.xml located in \Nimsoft\probes\service\wasp\webapps\operatorconsole_portlet\WEB-INF

<!--
<filter>
<filter-name>ResponseHeaderFilter</filter-name>
<filter-class>com.firehunter.operatorconsole.config.ResponseHeaderFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ResponseHeaderFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
-->

Broadcom please create a KB to document this issue!

Regards,
Danilo Melo

Original Message:
Sent: 10-08-2020 10:31 AM
From: Nick Barlow
Subject: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

I managed to work this out.

If anyone else gets errors via a reverse proxy.
The line filter ResponseHeaderFilter in web.xml is the culprit. I just delete the filter and filter mapping entries for the problem webapp.

Example:

<filter>
<filter-name>ResponseHeaderFilter</filter-name>
<filter-class>com.firehunter.adminconsole.config.ResponseHeaderFilter</filter-class>

</filter>
<filter-mapping>
<filter-name>ResponseHeaderFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Original Message:
Sent: 10-06-2020 09:58 AM
From: Nick Barlow
Subject: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

Also, more importantly. The Broadcom document instructs users to use "Except-CT-Header property" but the term is Expect-CT.

Is it possible for someone to review the Broadcom document please?
Except vs Expect
Original Message:
Sent: 10-06-2020 07:49 AM
From: Nick Barlow
Subject: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

HI,

After upgrading to 20.3 I have been experiencing a number issues.
The current issue is that when attempting to connect to the OC/UMP I receive the following errors in the reverse proxy
AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

I have been battling with this since yesterday and noticed that Broadcom doc has been updated today and contains new information for Expect-CT, link below, and I am hoping this is something that can help, but there is no context in the Broadcom instructions. It doesnt actually state why the steps are required.

Configure HTTPS in Admin Console or UMP

The issue is, this is not very clear and may not be accurately written.

Steps for OC and adding Expect-CT.
By default Expect-CT is set to "enforce, max-age=300", to change the values or adding report-uri in the Operator Console.
Follow these steps:
1. Open wasp.cfg file in any file editor ~\Nimsoft\probes\service\wasp
2. Go to <operatorconsole_portlet> ,<uncrypted> tag
3. Add/Edit configuration attributes in Except-CT-Header property as below Except-CT-Header = enforce, max-age=300
4. Restart the wasp
Questions are:
What should this be set to ? is it "enforce"
Where should this be set ? Step 2 refers to <operatorconsole_portlet> ,<uncrypted> in the wasp.cfg, but in my wasp, the path is <operatorconsole_portlet>, <custom> ,<uncrypted> .. which one is correct ?

I have added "Except-CT-Header = enforce, max-age=300, report-uri='https://<public facing url>" to the <operatorconsole_portlet>, <custom> ,<uncrypted> as well as creating <operatorconsole_portlet>, <custom> ,<uncrypted> section, which I manually created, to match the Broadcom doc.

The same applies to the Adminconsole.
Step 2 states. Go to <adminconsoleapp>, is this correct ? as the path in wasp.cfg again, is <custom> , <uncrypted>

The current web proxy has been in place for a number of years, with no issues, until 20.3 upgrade.

Thanks

Yea. I noticed after the previous question, others have asked the same thing.
Original Message:
Sent: 12-15-2020 10:19 AM
From: Danilo Melo
Subject: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

Hi Nick! Good afternoon!

When I click to open Admin Console from the Operator console, it redirects to my internal server, so indeed the redirect doesnt work. Im afraid I cant help much with that. I only need the OC and CABI webpages available on the internet, since the customer doesnt need to access the Admin Console.

Maybe it has to be configured separately in the proxy the same way you do for CABI to work within the Operator Console web link.

Regards
Original Message:
Sent: 12-15-2020 10:01 AM
From: Nick Barlow
Subject: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

Hi Danilo,

Do you have issues with getting the admin console to load through the webproxy ? It seems to always try to go via private, rather then apj proxy setting.

Thanks
Original Message:
Sent: 12-04-2020 08:24 AM
From: Danilo Melo
Subject: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

Hello Nick!

Thank you so much for posting the solution here, you just saved my day!

I just followed your last instructions and commented out the following lines on the web.xml located in \Nimsoft\probes\service\wasp\webapps\operatorconsole_portlet\WEB-INF

<!--
<filter>
<filter-name>ResponseHeaderFilter</filter-name>
<filter-class>com.firehunter.operatorconsole.config.ResponseHeaderFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ResponseHeaderFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
-->

Broadcom please create a KB to document this issue!

Regards,
Danilo Melo

Original Message:
Sent: 10-08-2020 10:31 AM
From: Nick Barlow
Subject: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

I managed to work this out.

If anyone else gets errors via a reverse proxy.
The line filter ResponseHeaderFilter in web.xml is the culprit. I just delete the filter and filter mapping entries for the problem webapp.

Example:

<filter>
<filter-name>ResponseHeaderFilter</filter-name>
<filter-class>com.firehunter.adminconsole.config.ResponseHeaderFilter</filter-class>

</filter>
<filter-mapping>
<filter-name>ResponseHeaderFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Original Message:
Sent: 10-06-2020 09:58 AM
From: Nick Barlow
Subject: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

Also, more importantly. The Broadcom document instructs users to use "Except-CT-Header property" but the term is Expect-CT.

Is it possible for someone to review the Broadcom document please?
Except vs Expect
Original Message:
Sent: 10-06-2020 07:49 AM
From: Nick Barlow
Subject: Reverse proxy - AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

HI,

After upgrading to 20.3 I have been experiencing a number issues.
The current issue is that when attempting to connect to the OC/UMP I receive the following errors in the reverse proxy
AH02429: Response header name 'Expect-CT ' contains invalid characters, aborting request

I have been battling with this since yesterday and noticed that Broadcom doc has been updated today and contains new information for Expect-CT, link below, and I am hoping this is something that can help, but there is no context in the Broadcom instructions. It doesnt actually state why the steps are required.

Configure HTTPS in Admin Console or UMP

The issue is, this is not very clear and may not be accurately written.

Steps for OC and adding Expect-CT.
By default Expect-CT is set to "enforce, max-age=300", to change the values or adding report-uri in the Operator Console.
Follow these steps:
1. Open wasp.cfg file in any file editor ~\Nimsoft\probes\service\wasp
2. Go to <operatorconsole_portlet> ,<uncrypted> tag
3. Add/Edit configuration attributes in Except-CT-Header property as below Except-CT-Header = enforce, max-age=300
4. Restart the wasp
Questions are:
What should this be set to ? is it "enforce"
Where should this be set ? Step 2 refers to <operatorconsole_portlet> ,<uncrypted> in the wasp.cfg, but in my wasp, the path is <operatorconsole_portlet>, <custom> ,<uncrypted> .. which one is correct ?

I have added "Except-CT-Header = enforce, max-age=300, report-uri='https://<public facing url>" to the <operatorconsole_portlet>, <custom> ,<uncrypted> as well as creating <operatorconsole_portlet>, <custom> ,<uncrypted> section, which I manually created, to match the Broadcom doc.

The same applies to the Adminconsole.
Step 2 states. Go to <adminconsoleapp>, is this correct ? as the path in wasp.cfg again, is <custom> , <uncrypted>

The current web proxy has been in place for a number of years, with no issues, until 20.3 upgrade.

Thanks