Understanding The Rewriting Process - Novell ACCESS MANAGER 3.1 SP1 - GATEWAY GUIDE Manual

1.6.1 Understanding the Rewriting Process

The Access Gateway needs to rewrite URL references under the following conditions:
To ensure that URL references contain the proper scheme (HTTP or HTTPS).
If your Web servers and Access Gateway machines are behind a secure firewall, you might not
require SSL sessions between them, and only require SSL between the client browser and the
Access Gateway. For example, an HTML file being accessed through the Access Gateway for
the Web site novell.com might have a URL reference to http://novell.com/path/image1.jpg. If
the reverse proxy for novell.com/path is using SSL sessions between the browser and Access
Gateway, the URL reference http://novell.com/path/image1.jpg must be rewritten to https://
novell.com/path/image1.jpg. Otherwise, when the user clicks this link, the browser bounces
between HTTP and HTTPS to establish a new SSL session.
To ensure that URL references containing private IP addresses or private DNS names are
changed to the published DNS name of the Access Gateway or hosts.
For example, suppose that a company has an internal Web site named data.com, and wants to
expose this site to Internet users through the Access Gateway by using a published DNS name
of novell.com. Many of the HTML pages on this Web site have URL references that contain the
private DNS name, such as http://data.com/imagel.jpg. Because Internet users are unable to
resolve data.com/imagel.jpg, links using this URL reference would return DNS errors in the
browser.
The HTML rewriter can resolve this issue. The DNS name field in the Access Gateway
configuration is set to novell.com, which users can resolve through a public DNS server to the
Access Gateway. The rewriter parses the Web page, and any URL references matching the
private DNS name or private IP address listed in the Web server address field of the Access
Gateway configuration are rewritten to the published DNS name novell.com and the port
number of the Access Gateway.
Rewriting URL references addresses two issues: 1) URL references that are unreachable
because of the use of private DNS names or IP addresses are now made accessible and 2)
Rewriting prevents the exposure of private IP addresses and DNS names that might be sensitive
information.
To ensure that the Host header in incoming HTTP packets contains the name understood by the
internal Web server.
Using the example in
HTTP or HTTPS requests to have the Host field set to data.com. When users send requests
using the published DNS name novell.com/path, the Host field of the packets in those requests
received by the Access Gateway is set to novell.com. The Access Gateway can be configured
to rewrite this public name to the private name expected by the Web server by setting the Web
Server Host Name option to data.com. Before the Access Gateway forwards packets to the Web
server, the Host field is changed (rewritten) from novell.com to data.com. For information
about configuring this option, see
page 18.
The rewriter searches for URLs in the following HTML contexts. They must meet the following
criteria to be rewritten:
42 Novell Access Manager 3.1 SP1 Access Gateway Guide
Figure 1-3 on page 41, suppose that the internal Web server expects all
"Configuring the Web Servers of a Proxy Service" on