Issue:
One of our sso application works on reverse proxy DNS, after 15mins
idle timeout we are seeing the reverse proxy DNS in the url
automatically which should not appear as we don't want to expose
reverse proxy DNS.
The Journey I'm explaining here.
1. First we hit the portal www.example.mydomain.com which authenticates
against LDAP and authorize against ODBC
2. After successfully logging portal, we will launch the sso
application. For example www.example.mydomain.com/sso_application
3. Ater launching sso application it will not ask for login as it
usesthe same smsession.
4. For 15mins, the url will be www.example.mydomain.com/sso_application
5. Post 15mins, the url changes automatically to reverse proxy DNS
which we have configured in apache ex:
www.host.mytestdomain.com/sso_application which we don't want to happen.
Portal configurations are done on apache webserver, where as sso
application is configured on IIS webserver
Cause:
As seen, the http_host is changed when the request arrives to
the Web Agent, and that's why the Web Agent put it as target.
We've seen that httpd.conf has ProxyPreserveHost is set to no which
is mainly causing the issue.
The backend server should be referencing the reverse proxy server
hostname. You can enable the proxypreservehost setting in the virtual
host setup, as this should pass the original Host: header as sent by
the user across to the backend.
ProxyPreserveHost Directive
"When enabled, this option will pass the Host: line from the incoming
request to the proxied host, instead of the hostname specified in the
ProxyPass line.
This option should normally be turned Off. It is mostly useful in
special configurations like proxied mass name-based virtual hosting,
where the original Host header needs to be evaluated by the backend
server."
https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypreservehost
Also find below CA Communities thread with some useful information
regarding ProxyPreserveHost setup:
"If you have set 'ProxyPreserveHost On' on your apache then the
HTTP_HOST(www.apache.com) header value will be forwarded to SPS.
And if your SPS did not have that hostname registered in the
virtualhost configuration then that error is expected. "
https://communities.ca.com/thread/241781693-can-ca-secure-proxy-server-access-gateway-be-used-as-a-backend-server
Resolution:
In the Apache Reverse Proxy configuration, set ProxyPreserveHost
to yes to solve the issue.
KB : KB000099431