search cancel

Blocking Cross Origin data posting to the CA AXA/APM Browser Agent infrastructure


Article ID: 129590


Updated On:


CA Application Performance Management Agent (APM / Wily / Introscope) INTROSCOPE


In the case of on-premise DXI implementations which use the Experience Collector (DXC) it is desirable for the DXI backend to reject data being posted by Browser Agent (or equivalent) which does not match the source origin domain for the application page where the Browser Agent is embedded or injected.


Solution that has been tested by Broadcom/CA Engineering:

<Please see attached file for image>

User-added image


All On-premise environments with DXC (APM 10.5+ and AXA 17.x+).


NGINX loadbalancer configuration procedure
In the loadbalancer in the DMZ, the nginx configuration file was modified through the following steps.
- login to the nginx load balancer
- navigate to nginx/nginx-1.13.0 (or corresponding location)
- open the ' nginx.conf ' file in an editor
- In the 'server' section of the conf file uncomment/add the following lines.
location ~* (bajs|extjs|profile|(b|B)rowserMetrics) {
                  if ($request_method = 'GET') {
                      add_header 'Access-Control-Allow-Origin' 'http://<mywebsite>.com';
                  if ($request_method = 'OPTIONS') {
                     add_header 'Access-Control-Allow-Origin' 'https://<mywebsite>.com';
                     add_header 'Access-Control-Allow-Credentials' 'true';
                     add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                     add_header 'Access-Control-Allow-Headers' 'Content-Type';
                     return 200;
                  if ($request_method = 'POST') {
                     add_header 'Access-Control-Allow-Origin' 'https:// <mywebsite> .com';
- After this change, the nginx will need to be restarted - execute " ./ restart " command
Expected result:
- This should block all the GET, POST and OPTIONS calls originating from anywhere but https://<mywebsite>.com
Actual result:
- DXC blocked all the GET, POST and OPTIONS calls originating from anywhere but https://<mywebsite>.com

Additional Information

Note: This configuration requires the loadbalancer to be in the DMZ and direct DXC access from the DMZ is blocked via firewall to the DXC.   To prevent access in the secure zone to the DXC by unauthorized clients, you may also setup IPTABLES on the DXC servers to only allow the loadbalancer as an originating IP address for the web port being used by the DXC.


1558688710798000129590_sktwi1f5rjvs16fp4.jpeg get_app