Trailing Slash Problem for SPS URL

book

Article ID: 194587

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

We use SPS for reverse proxy services. The below is the request flow. I noticed "trailing slash problem" on the URLs behind the SPS. These URL are unprotected by SiteMinder. The issue is noticed while launching URL that are directories. I noticed http 301 redirect to downstream RHEL Apache server URL and the URL is also exposed to the end users which is not supposed to happen on a Reverse Proxy case. This RHEL Apache server URL is not public accessible so it always fails. The URL works fine if I add "/" at the end. But it is not feasible to tell end users to add "/" and also has problems while internally calling such URLs in application code. The below is the flow in a nutshell. Images are also attached for reference. 

URL (browser) --> SPS --> RHEL Apache (hosted on different server) --> Page Displayed


Environment

Release : 12.7

Component : SITEMINDER -WEB AGENT FOR APACHE

Resolution

"Handling Redirects by Destination Servers"

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-7/configuring/ca-access-gateway-configuration/configure-the-virtual-host-settings-manually.html#concept.dita_9487339992c5e43ded0b80f85eb51b240356c38b_HandlingRedirectsbyDestinationServers

This is probably what you are looking for.

There is also "Default Virtual Host Values"

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-7/configuring/ca-access-gateway-configuration/configure-the-virtual-host-settings-manually.html#concept.dita_9487339992c5e43ded0b80f85eb51b240356c38b_DefaultVirtualHostValues

I noticed the following in your Access Gateway server.conf:

enableproxypreservehost="no"
filteroverridepreservehost="no"

You might need to set:

enableproxypreservehost="yes"

This is so, in this case, redirects will not redirect the host portion of the URL.

You have many VirtualHosts and I cannot really evaluate the impact of changing this on all of them so you will need to test, and might need to use filteroverridepreservehost.

Customer specifically used:

<VirtualHostDefaults>
...
        enableproxypreservehost="yes"
...
</VirtualHostDefaults>

<VirtualHost name="<VIRTUALHOST>">
...
        enableredirectrewrite="yes"
        redirectrewritablehostnames="ALL"
...
</VirtualHost>