DataPower

 View Only

 How to prevent overwriting of http header "host" in xslt stylesheet?

Andreas Brand's profile image
Andreas Brand posted Fri November 07, 2025 08:14 AM
Hi
 
I have a working processing rule with an AAA action. The implemented stylesheet connects to an auth service and uses it to check the credentials.
 
As I said, this works without any problems.
 
The auth service is now being changed, and an http header “host: auth” must be included for the connection.
With the following adjustment (http-headers="HeaderValues") in the DataPower XSLT stylesheet, the HTTP header can be set, but the host entry is replaced by the Datapower with the target host:
 
<!-- HTTP-Header setzen -->
<xsl:variable name="HeaderValues">
  <header name="Host">"auth"</header>
  <header name="Test">"Test"</header>
</xsl:variable>
 
<!-- Siehe https://www.ibm.com/docs/en/datapower-gateway/10.5.x?topic=elements-dpurl-open -->
<dp:url-open
    target="https://..."
    ssl-proxy="client:..."
    http-headers="$HeaderValues"
    response="responsecode" >
 
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
    <S:Body>
etc.
    </S:Body>
</S:Envelope>
</dp:url-open>
etc.
   
 
The http header “Test” is set, as is the http header “Host,” but for the http header “Host,” Datapower replaces “auth” with the target host. I was able to verify this using Packet Capture.
 
How can I prevent the host name from being rewritten? 
 
The firmware is IDG.10.5.0.19.
Best regards, 
Andreas
Joseph Morgan's profile image
Joseph Morgan IBM Champion posted Fri November 07, 2025 09:29 AM

I'm not sure if your example somehow got disconnected from your description, but, you're saying "...DataPower replaces 'xyz' with the target host."  Do you mean it replaces "auth" with the target host?

Andreas Brand's profile image
Andreas Brand posted Fri November 07, 2025 09:49 AM

Oops, I wanted to correct that... sorry, yes, auth is replaced with targethost.
I have modified the original text.

Joseph Morgan's profile image
Joseph Morgan IBM Champion posted Fri November 07, 2025 09:57 AM

OK, so, it has been a while since I had to do this, but, it seems to be I ended up "tricking" it, and can't remember exactly how.

What comes to mind, though, is to use a load balancer group with "masquerade as group name" turned on.   You may only have a single member, but the "host" will be whatever the LBG name is.

Andreas Brand's profile image
Andreas Brand posted Fri November 07, 2025 10:03 AM

That's a really cool idea. I didn't know about that parameter, but I'll be happy to try it out.

Andreas Brand's profile image
Andreas Brand posted Fri November 07, 2025 10:33 AM

That worked!

An excerpt from Wireshark:

POST /target-URL HTTP/1.1
Connection: Keep-Alive
Host: auth
Content-Length: 3418

<?xml version="1.0" encoding="UTF-8"?>

Wonderful trick :) 


Have a nice weekend

Andreas

Related Content