Modify referrer sent by Network Gateway

artemis1 · ‎03-19-2018

Does anyone know if there is a way to have the Network Gateway modify the referrer or host header that is sent to an internal web application?

I have external.example.com (“EXTERNAL”) that resolves to the Network Gateway. Upon successful authentication, the network gateway redirects to the web application at internal.hq.example.com (“INTERNAL”). However the host header set by the browser and sent to the internal server is set to “external.example.com”. This cause the internal web application to throw an error due to the mismatch.

I’ve solved a similar issue in the past with NGINX’s proxy_cookie_domain directive but I do not see any settings in the Network Gateway that would allow me to implement a similar config.

jamieis · ‎03-20-2018

Hey @artemis,

Is your internal web application using HTTPS or HTTP?

If you are using HTTPS you can change the setting “Internal SSL validation name” to use your internal URL which will also set the Host header to the internal URL.

artemis1 · ‎03-21-2018

It looks like this is a setting within the web application I am forwarding to via the Network Gateway.

I had Internal SSL validation selected but that did not seem to make a difference.

As a temporary workaround, I placed an NGINX server as a reverse proxy in front of the web app and pointed the Internal URL to the NGINX proxy. I had to add a few headers via the NGINX config to ensure everything was passed correctly:

proxy_cookie_domain external.example.com internal-nginx-proxy.hq.example.com;
proxy_set_header Referer "https://internal.hq.example.com/api/v1/";
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://internal.hq.example.com/;

I’ll circle back to this later to see if there is a better way to handle it. The webapp I’m pointing to belongs to a commercial appliance where I do not have the ability to modify many settings.