Accessing ROC URL version 6.7.0.576 via HA Proxy errors to HTTP ERROR 503 "Service Unavailable"
search cancel

Accessing ROC URL version 6.7.0.576 via HA Proxy errors to HTTP ERROR 503 "Service Unavailable"

book

Article ID: 258968

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio)

Issue/Introduction

We applied the patch 6.7.0.576 over 6.7.0.81 and after the patch we're not able to connect to the NAC via HA Proxy. We get the HTTP error 503 service unavailable.

The HA Proxy configuration of ours is  

backend cara-out-8443
        mode http
      option httpchk GET /datamanagement/availability
        http-check expect status 200
        cookie JSESSIONID prefix nocache
        default-server check check-ssl ssl verify none
        server app1 NAC-SERVER_HOSTNAME:NAC-PORT cookie app1

Environment

Release : 6.7.0.576

Cause

From CARA version 6.7.3 onwards there was an additional security feature enabled that is to deny requests coming from anonymous HOST/IP's not listed under allowed Host. The mentioned configuration is doesn't address any direct vulnerability but adding an additional layer of security to protect against data injection, malicious access, XSS, which is controlled by below configuration in RA

Settings Description
http.request.header.enableHostHeaderFilter=true This setting setting controls whether the filter of "Host" header values for HTTP requests is enabled or not. By default, the filter is 
enabled.
http.request.header.allowedHosts=
This setting allows adding exceptions for the "Host" header values that should be permitted by the filter. By default, it's empty which means that the filter will only allow the values.
The format is the comma-separated hostnames or IP addresses. For example, "http.request.header.allowedHosts=localhost, 127.0.0.1"

Please refer Tech Doc Security Configuration for more details.

The reason for HTTP ERROR 503 is because, as per current HAProxy configuration the HOST header is not passed in availability check i.e.  /datamanagement/availability request.

Resolution

The recommended solution is to pass the HOST Header in the availability check request via HAProxy.

Example configuration for HAProxy 2.4.*

backend cara-out-8443
  mode http
  option httpchk
  http-check send meth GET uri /datamanagement/availability hdr Host HOSTNAME_IP_OF_HAPROXY
  http-check expect status 200
  cookie JSESSIONID prefix nocache
  default-server check check-ssl ssl verify none
    server app1 NAC-SERVER_HOSTNAME:NAC-PORT cookie app1

Alternative solution/workaround

Disable Host Header checking by configuring HOST http.request.header.enableHostHeaderFilter=false. This change will ensure your existing configuration of HAProxy will work and NAC will not check for Host Headers and it will work as it used to work prior to upgrade.