Multiple Web Applications setup and accessed successfully by users via ZTNA.

ZTNA admin added new Web application for Red Hat's Ansible automation platform, but users cannot login successfully after submitting credentials (login error is code returned).

Internal web server hostname defined is accessible and resolvable by connector.

CORS enabled by default with HTTP requests, along with CSRF tokens.

If the same user accesses the Application directly using the same credentials, all works fine.

Red Hat Ansible automation platform.

ZTNA.

Ansible scanning the X-FORWARDED-HOST HTTP Header to check on the header value, instead of the Host or Origin HTTP headers.

HAR file showed that the POSTing of the users credentials triggered a 403 response from the Web server with the following payload error:

  <h1>Forbidden <span>(403)</span></h1>
  <p>CSRF verification failed. Request aborted.</p>
:    <p>Reason given for failure:</p>
    <pre>
    Origin checking failed - https://######.luminatesec.com does not match any trusted origins.
    </pre>

This proved very off-putting as the Origin HTTP header is rewritten successfully by default. The only instance of the ######.luminatesec.com came from the X-Forwarded-Host HTTP header and hence the change to remove it.