[midPoint] Reverse proxying midPoint no longer works with 3.9

Ramón Cahenzli ramon.cahenzli at zhdk.ch
Mon Aug 26 14:08:59 CEST 2019 

Hi everyone,

It seems I spoke too soon when I said reverse proxying midPoint now
works for us. I've talked about this earlier and Stacy Brock had a
solution for Apache that seemed to work:

  RewriteEngine on
  RewriteRule ^/$ /midpoint/ [R,L]
  RewriteRule ^/midpoint$ /midpoint/ [R,L]

  ProxyPreserveHost on
  RequestHeader set X-Forwarded-Proto https
  RequestHeader set X-Forwarded-Port 443
  ProxyPass "/midpoint/" "http://127.0.0.1:8080/midpoint/"
  ProxyPassReverse "/midpoint/" "http://127.0.0.1:8080/midpoint/"
  # midPoint can be slow to respond, so we set the timeout to 10 minutes
  ProxyTimeout 600

But midPoint itself still generates redirects to HTTP on port 80
instead of using the information from X-Forwarded-Proto and
X-Forwarded-Port as instructed.

In application.yml we configure:

server.address: 127.0.0.1
server.port: 8080
server.session.timeout: 60
server.use-forward-headers: true
server.tomcat.internal-proxies: 127.0.0.1
server.tomcat.protocol-header: X-Forwarded-Proto
server.tomcat.protocol-header-https-value: https
server.tomcat.port-header: X-Forwarded-Port

Yet we see midPoint redirecting to http://.../dashboard and
http://.../login on, as on the screenshot. When port 80 is closed,
users can't log in. midPoint seems to ignore
server.tomcat.protocol-header and
server.tomcat.protocol-header-https-value.

The config information is from here:

https://wiki.evolveum.com/display/midPoint/Using+MidPoint+with+embedded+Tomcat

Incidentally, there is an error in that example (the block on line
78-87 should be indented under server.tomcat.accesslog) but I can
create a Jira ticket for that.

Any ideas what we could do to address the issue? We want midPoint to
know that it needs to stay on HTTPS and not generate redirects to :80.

Cheers,

-- 
—
—
Zürcher Hochschule der Künste
Zurich University of the Arts
—
Ramón Cahenzli, MSc.
IT Architect
—
Pfingstweidstrasse 96, Postfach, 8031 Zürich
Tel. +41 43 446 31 63, Fax +41 43 446 45 21
ramon.cahenzli at zhdk.chhttp://www.zhdk.ch
http://itz.zhdk.ch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: reverse_proxy_midpoint.png
Type: image/png
Size: 25912 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190826/bd1671a8/attachment.png>

More information about the midPoint mailing list