Thursday, December 22, 2016

Reverse Proxy must not decode Fiori URLs

‘Double Encoding’ issue with Fiori Urls in case of Apache-based Reverse Proxy

The typical infra architecture of an on premisse Fiori deployment includes a reverse proxy that enables access to the Fiori Apps from the internet. A responsibility of the reverse proxy is to forward the received external uri address to the protected internal Fiori resource. The generic pattern here is that the domain part of the external url is mapped to the internal url, and the remainder of the external url is concattenated to the internal url. Some / most reverse proxy products handle encoded special characters in the remainder part, well special, by decoding them before forwarding. However, (a.o.) for Fiori URLs this behaviour is undesired. The encoded characters must be forwarded as is, so that the web dispatcher on Gateway FES can decode them and process the correct decoded uri.
Clarification of the effect due 'double encoding' of Fiori URL:
  1. Browser requests "https://<external-DNS>/sap/opu/odata/UI2/PAGE_BUILDER_PERS/PageSets('%2FUI2%2FFiori2LaunchpadHome')?$expand=Pages/PageChipInstances/Chip/ChipBags/ChipProperties,Pages/PageChipInstances/RemoteCatalog,Pages/PageChipInstances/ChipInstanceBags/ChipInstanceProperties,AssignedPages,DefaultPage&sap-cache-id=...";
  2. SAP Gateway FES returns http error 404;
  3. Error logged on the SAP NetWeaver node is that "http://<SAP web dispatcher / Gateway FES>:8000/sap/opu/odata/UI2/PAGE_BUILDER_PERS/PageSets('%252FUI2%252FFiori2LaunchpadHome')?$expand=Pages/PageChipInstances/Chip/ChipBags/ChipProperties,Pages/PageChipInstances/RemoteCatalog,Pages/PageChipInstances/ChipInstanceBags/ChipInstanceProperties,AssignedPages,DefaultPage&sap-cache-id=..." is an invalid URI