IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  ISAM WebSeal: Using of header "X-Forwarded-Proto"

    Posted Fri October 11, 2019 10:05 AM
    Hello Team,

    we read following IBM note that WebSeal can pass specific X-Forwarded header.
    In this case we want to pass the X-Forwarded-Proto (HTTP or HTTPS) but we can find this config in the note. Is it possible to pass this header? If yes, how do we set the entry in WebSeal.conf?

    Thanks & best regards
    Thomas

    ------------------------------
    Thomas Renner
    ------------------------------


  • 2.  RE: ISAM WebSeal: Using of header "X-Forwarded-Proto"

    Posted Fri October 11, 2019 10:27 AM
    Hello Thomas,

    The configuration you'd be looking for is the '[header-names]' stanza.

    Here is the configuration file reference : 
    [header-names]

    #
    # This stanza controls the addition of HTTP headers into the request which is
    # passed to junctioned applications. Each entry within the stanza will be of
    # the format:
    # <header-data> = [+]<header-name>
    #
    # where:
    # <header-data> : the type of data which will be inserted.
    # <header-name> : the name of the HTTP header which will hold the data. The
    # header-name can be prefixed with the '+' character if you
    # wish to append to any existing header instead of
    # overwriting the existing header.
    #
    # The <header-data> may be one of the following values:
    #
    # server-name : The ISAM authorization server name for the WebSEAL server.
    # This is the name which is used in the "server task"
    # commands.
    # client-ip-v4 : The IPv4 address of the client of this request.
    # client-ip-v6 : The IPv6 address of the client of this request.
    # client-port : The port which is used by the client of this request.
    # Please note that this is the client source port, and not
    # the destination port.
    # host-name : The host name of the WebSEAL server. The host name will
    # be obtained from the web-host-name configuration entry
    # within the [server] stanza (if specified), or the host
    # name of the machine itself.
    # httphdr{<name>} : A HTTP header from the request, as specified by the <name>
    # field. If the HTTP header is not found in the request
    # the value contained within the [server]
    # tag-value-missing-attr-tag configuration entry will be
    # used as the value for the header.
    #
    # For example:
    # client-ip-v4 = +X-Forwarded-For
    # httphdr{host} = X-Forwarded-Host
    # host-name = X-Forwarded-Server

    server-name = iv_server_name

    ===

    So, if you wanted to add the 'X-Forwarded-Proto' then you'd have configuration like :

    [header-names]
    httphdr{X-Forwarded-Proto} = X-Forwarded-Proto

    Although, if the client is sending the header ISAM should not be filtering out that header in the first place.

    You can use a pdweb.debug trace to see the headers coming from the Client and confirm that the header is even being sent by the Client in front of the Reverse Proxy instance.

    ------------------------------
    JACK YARBOROUGH
    ------------------------------

    Original Message


  • 3.  RE: ISAM WebSeal: Using of header "X-Forwarded-Proto"

    Posted Mon October 14, 2019 04:12 AM
    Edited by Thomas Renner Mon October 14, 2019 04:21 AM
    ​Hello Jack,

    thank you for the quick response. I tried it out but unfortunately I received for X-Forwarded-Proto the value "Not_Found" if I set
    httphdr{X-Forwarded-Proto} = X-Forwarded-Proto in the WebSeal.conf.
    For the other X-Forwarded Header like
    client-ip-v4 = +X-Forwarded-For
    httphdr{host} = X-Forwarded-Host
    host-name = X-Forwarded-Server
     I received the corresponding values. Did you try it out by yourself as well?

    Best regards
    Thomas

    ------------------------------
    Thomas Renner
    ------------------------------

    Original Message


  • 4.  RE: ISAM WebSeal: Using of header "X-Forwarded-Proto"

    Posted Mon October 14, 2019 05:07 AM
    Edited by Dries Eestermans Mon October 14, 2019 05:10 AM
    Hi Thomas,

    In case you're not behind a load balancer which sets the header to begin with, you can extract it from the Request using HTTP Transformation Rules:
    <?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
	version="1.0">
	<!-- Firstly, strip any space elements -->
	<xsl:strip-space elements="*" />

	<!--
		Perform a match on the root of the document. Output the required
		HTTPRequestChange elements and then process templates.
	-->
	<xsl:template match="/">
		<HTTPRequestChange>
			<xsl:apply-templates />

			<!--  Perform Object Name processing here. Output should be in the form
				<ObjectName>VALUE</ObjectName>
			if required. -->
		</HTTPRequestChange>
	</xsl:template>

	<xsl:template match="//HTTPRequest/Headers">
		<xsl:choose>
			<xsl:when test="Header/@name='X-Forwarded-Proto'" />
			<xsl:otherwise>
				<Header action="add" name="X-Forwarded-Proto"><xsl:value-of select="//HTTPRequest/Scheme"/></Header>
			</xsl:otherwise>
		</xsl:choose>
	</xsl:template>
</xsl:stylesheet>
    The snippet above will simply set the "X-Forwarded-Proto" header based on the incoming request schema (http or https).

    Then in the reverse proxy configuration, add the following:
    [http-transformations]
x_forwarded_proto = x_forwarded_proto.xml

[http-transformations:x_forwarded_proto]
request-match = request:[vhostj]* /*

    Hope it helps.

    ------------------------------
    Dries Eestermans
    IS4U
    ------------------------------

    Original Message


  • 5.  RE: ISAM WebSeal: Using of header "X-Forwarded-Proto"

    Posted Mon October 14, 2019 12:35 PM
    Edited by Thomas Renner Mon October 14, 2019 12:36 PM
    Hello Dries,
    thank you for your alternative solution. But normally we should get the header from our LB. We will check this again before we are planning to use transformation rules :).
    Best regards
    Thomas

    ------------------------------
    Thomas Renner
    ------------------------------

    Original Message


  • 6.  RE: ISAM WebSeal: Using of header "X-Forwarded-Proto"

    Posted Tue October 15, 2019 04:34 AM
    Edited by Jens Petersen Tue October 15, 2019 04:39 AM
    Hi Thomas,
    did you check whether the F5 sends X-Forwarded-Proto? I think it's sending X-Forwarded-For. So if you want the original Client Adress in X-Forwarded-Proto your mapping at weaseal.conf should look like this:
    httphdr{X-Forwarded-For} = +X-Forwarded-Proto

    Anyway, if it's a intranet Client you'll get the Proxy address. Getting the original address would need to configure proxy sending X-Forwarded-For and F5 to extract X-Forwarded-For to X-Forwarded-Proto. Then again, if a internet client hits the F5 it won't have a X-Forwarded-For. So your F5 guys need to add an iRule to the LB populating the header with the correct value.

    best,
    jens

    ------------------------------
    Jens Petersen
    ------------------------------

    Original Message


  • 7.  RE: ISAM WebSeal: Using of header "X-Forwarded-Proto"

    Posted Tue May 12, 2020 04:51 PM
    Hello Thomas,
    Did you ever get this to work? I've a similar requirement and adding httphdr{X-Forwarded-Proto} = X-Forwarded-Proto in webseal.conf is setting it as NOT%5FFOUND.

    Please let me know if/how it worked for you.

    ------------------------------
    Manish Sethi
    ------------------------------

    Original Message


  • 8.  RE: ISAM WebSeal: Using of header "X-Forwarded-Proto"

    Posted Wed May 13, 2020 06:17 AM
    ​Hi Manish,

    so in our case we solved it due to the security restriction that http communication is not allowed and the application needs to upgrade to SSL (https) in this case.

    ------------------------------
    Thomas Renner
    ------------------------------

    Original Message


  • 9.  RE: ISAM WebSeal: Using of header "X-Forwarded-Proto"

    Posted Wed May 13, 2020 10:01 AM
    Got it. Thanks for the update!

    ------------------------------
    Manish Sethi
    ------------------------------

    Original Message