Error rendering UI for external SAML users via Apache proxy in DX NetOps
search cancel

Error rendering UI for external SAML users via Apache proxy in DX NetOps

book

Article ID: 435997

calendar_today

Updated On:

Products

Network Observability CA Performance Management

Issue/Introduction

External users accessing the system through an Apache reverse proxy via SAML authentication encounter UI rendering failures after upgrading to version 25․4․5 ․​​​​​‌​‍

SYMPTOMS:

  • Internal LDAP users on the VPN can log in without issue

  • External users authenticate successfully but the Portal UI fails to load or render correctly

  • The browser displays layout container rendering errors instead of the expected dashboards

  • Service request logs show repeating "GET /badMessage HTTP/1․0" 505 errors originating from the proxy IP addresses

CONTEXT: This occurs when external users log in via a reverse proxy that acts as a simple pass-through without inspecting the payload

IMPACT: External users cannot access the system dashboards

When users log in to the tool they see the following instead of the expected Portal web UI.

Environment

Network Observability DX NetOps Portal configured for SSO using SAML 2.0 standards with traffic passing through an Apache reverse proxy using MOD_proxy

In 25․4․4+ releases UI payload compression is enabled by default

Cause

MOD_proxy configuration is not properly uncompressing and recompressing the data sent from Portal to it's external end users.

In recent releases, the UI uses React and gzips data to minimize payload sizesIf the reverse proxy acts as a simple pass-through without an explicit filter chain, the proxy-html module cannot read the compressed binary data to rewrite URLs properly, resulting in broken links and rendering failures on the client side

Resolution

PREREQUISITES:

  • Administrator access to the Apache proxy server

STEPS:

1․ UPDATE PROXY CONFIGURATION

Path: Apache configuration file for the proxy

Update the proxy configuration to include the following output filter chain:

SetOutputFilter INFLATE; proxy-html; DEFLATE

EXPECTED: The proxy will now decompress the payload, process the HTML to rewrite internal links, and recompress it before sending to the client

NOTE: Because this filter chain forces the proxy to do the heavy computational lifting of unzipping, parsing, editing, and re-zipping the data, it is only enabled when absolutely necessary

 

2․ RESTART THE PROXY SERVICE

Restart the Apache proxy service to apply the configuration changes

EXPECTED: External users can successfully log in and render the UI via SAML

 

VERIFY SUCCESS:

  • External users can log in via SAML

  • Dashboards render successfully without layout container errors

Powered by Wolken Software