HTTP header fields are components of the message header of requests and responses in the Hypertext Transfer Protocol (HTTP). They define the operating parameters of an HTTP transaction.

The HTTP header requests the field called HOST from the URL which contains the domain name of the server and TCP port number on which the server is listening.

Problem

If external users are able to reach and login to the application but are greeted by no images and formatting issues on the workbench then additional configurations in SAP Sourcing need to be implemented.

Concept

X-original-host and X-forwarded-host are headers additionally created by proxy servers and web-servers to be used by other features including logging, security, etc.  There are a lot of different headers out there and some people have been known to collect them.  In other words, they are added by third party applications, and therefore may have a default value as determined by that application.

Here’s a list of 3 headers commonly seen by our application.

In SAP Sourcing the application interprets incoming requests with the hostname being taken from the first location in the following order;

     1.          HTTP header named in system.http.host_header system property (see parsing below).

          Note: The system property should NOT have an effect if there is no HTTP header with that name or if the header has no value.

     2.          HTTP header named, X-Forwarded-Host (see parsing below).

     3.          HTTP header named, X-Forwarded-Server (see parsing below).

     4.          HTTP header named, X-Original-Host (not parsed – should be a single value).

     5.          Value returned by HTTPServletRequest.getServerName() method (not parsed – should be a single value) which can be found in the  debug trace.

Parsing

The values of the headers specified above can have multiple values specified as a comma-separated list. This should only happen if multiple reverse proxies are between the user and the application. The first value is the outermost proxy server crossed. The second value is the next proxy encountered and so on. The value the application uses is the first in the list.

If the tracing level for com.sap.odp.common.platform.ServletHostInfo is set to DEBUG, then the values for several HTTP headers should be visible in the logs, including the ones mentioned above. Try searching for “X-Forwarded-Host” in the trace files.  The resulting entries will show all of the headers being passed to Sourcing and enable a specific value to be identified that can be used for the system.http.host_header system property. 

For example myprxy_host is set and appears at the Web Proxy.  This is where we enable Sourcing to recognize this header before HOST for incoming requests.

Example

In this diagram you can see the end to end SSL  and the internal/buyside users that are accessing the application via the eso.host.com hostname that is configured in the cluster.int Cluster.  For external users accessing via the hostname eso.prd.company.host.com the proxy at the firewall continues to send over sessions using the external hostname which Sourcing doesn’t recognize as it is responding to the hostname.  This is where the system.http.host_header property comes in.  Setting it to myprxy_host would allow external users to access the system as it is pulling the value set as this and allowing incoming requests to be resolved based on custom value myprxy_host defined at the ‘Web Proxy’ found within the HTTP Header.

Solution

Determine or create a host header in the ‘Web Proxy’ and configure Sourcing by placing the header name within the system property system.http.host_header.

N.B

For non end to end SSL setups see my other blog Making SAP Sourcing work with SSL Termination.