3 Replies Latest reply on Apr 24, 2013 11:47 PM by feickholt

    HTTP Header modification (especially HOST Part)

    feickholt

      We use PAT on our Checkpoint FW to select different Source InternetIP-Adresses for outgoing connections. We need this for a special software.

       

      What do we expect:

       

      http://www.a.com should be access with different Source IP-Adresses

       

      So we build a rule for setting the port (in this example I use a fixed port number. in real we use some information to caclulate it)

       

      url.port = 30071

       

      now the proxy connects to the server using Port 30071

       

      the fw use PAT to translate this => use source A connect to URL Using port 80 (ur.port 30072 will use source B port 80 and so on)

       

      On most servers this works great.

       

      On some server we receives an error.

      Reason: in the HTTP Header the host part is set to www.a.com:30071

       

      The server ignores that the Paket was received on port 80. It sends a Code 302 (page moved to www.a.com). Now the client send the request again and the proxy

      modified the port again to 30071.... result LOOP

       

      I find no way to change the HOST Part to a value without port information without loosing the possibility to send the paket to port 30071

       

      The other solution might beto set the URI value to an absolut value. Then the server must ignore the Host part. (as defined in HTTP 1.1). Bu I find no way to change this part.?

       

      Any suggestions?

        • 1. Re: HTTP Header modification (especially HOST Part)
          feickholt

          I found a way to modify the URI value, but unfortunatly the proxy encodes the url.

          If i set url.path to the whole url the http get contains the whole url but the : is encoded to %3a

           

          Anyway to change this?

           

          Here is a simulation using telnet

          First using %3A im GET (Encoded)

          ---------------------------------------------------------------------------

          telnet 12.161.242.20 30071

          Trying 12.161.242.20...

          Connected to 12.161.242.20.

          Escape character is '^]'.

          GET http%3A//onlinelibrary.wiley.com/ HTTP/1.1

          Host: onlinelibrary.wiley.com:30071

          Connection: close

          User-Agent: Mozilla

           

          HTTP/1.1 400 Bad Request

          Set-Cookie: OLProdServerID=1026; domain=.wiley.com;path=/

          Date: Wed, 24 Apr 2013 08:37:35 GMT

          Server: Apache

          Content-Length: 226

          Connection: close

          ------------------------------------------------------------------

          here using :

           

          telnet 12.161.242.20 30071

          Trying 12.161.242.20...

          Connected to 12.161.242.20.

          Escape character is '^]'.

          GET http://onlinelibrary.wiley.com/ HTTP/1.1

          Host: onlinelibrary.wiley.com:30071

          Connection: close

          User-Agent: Mozilla

           

           

          HTTP/1.1 200 OK

          Set-Cookie: OLProdServerID=1027; domain=.wiley.com;path=/

          Date: Wed, 24 Apr 2013 08:38:48 GMT

          Server: Apache-Coyote/1.1

          Pragma: no-cache

           

          Nachricht geändert durch feickholt on 24.04.13 03:49:00 CDT
          • 2. Re: HTTP Header modification (especially HOST Part)
            Jon Scholten

            Hi Feickholt,

             

            Changing the URL.Port will result in the behavior you observed (www.a.com becomes www.a.com:30071).

             

            I think you are going down the wrong path with your second post.

             

            What I would suggest trying is a next hop proxy. This will make the MWG leave the request alone, but make the request to the port you define in the next hop proxy.

             

            Best,

            Jon

            • 3. Re: HTTP Header modification (especially HOST Part)
              feickholt

              This may work, but not in our environement.

               

              We use this configuration for 200 predefined site.

               

              Each PAT (port -> IP source translation) is able to use the every site.

               

              We use this to identify intranet usergroup on special internet site we've to pay for. Using their logs we can distribute the costs. (I know a very special solution)