[midPoint] Reverse proxying midPoint no longer works with 3.9

Petr Gašparík - AMI Praha a.s. petr.gasparik at ami.cz
Mon Aug 26 15:40:53 CEST 2019


wiki edited.

--

s pozdravem

*Petr Gašparík*
solution architect

gsm: [+420] 603 523 860
e‑mail: petr.gasparik at ami.cz

*AMI Praha a.s.*
Pláničkova 11, 162 00 Praha 6

tel.: [+420] 274 783 239 | web: www.ami.cz

[image: AMI Praha a.s.]

Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá
za společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.

Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může obsahovat
důvěrné nebo osobní
informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv
zveřejňování, zprostředkování
nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail neoprávněně,
informujte o tom prosím
odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně
všech jeho příloh. Nakládáním
s neoprávněně získanými informacemi se vystavujete riziku právního postihu.


po 26. 8. 2019 v 14:09 odesílatel Ramón Cahenzli <ramon.cahenzli at zhdk.ch>
napsal:

> Hi everyone,
>
> It seems I spoke too soon when I said reverse proxying midPoint now
> works for us. I've talked about this earlier and Stacy Brock had a
> solution for Apache that seemed to work:
>
>   RewriteEngine on
>   RewriteRule ^/$ /midpoint/ [R,L]
>   RewriteRule ^/midpoint$ /midpoint/ [R,L]
>
>   ProxyPreserveHost on
>   RequestHeader set X-Forwarded-Proto https
>   RequestHeader set X-Forwarded-Port 443
>   ProxyPass "/midpoint/" "http://127.0.0.1:8080/midpoint/"
>   ProxyPassReverse "/midpoint/" "http://127.0.0.1:8080/midpoint/"
>   # midPoint can be slow to respond, so we set the timeout to 10 minutes
>   ProxyTimeout 600
>
> But midPoint itself still generates redirects to HTTP on port 80
> instead of using the information from X-Forwarded-Proto and
> X-Forwarded-Port as instructed.
>
> In application.yml we configure:
>
> server.address: 127.0.0.1
> server.port: 8080
> server.session.timeout: 60
> server.use-forward-headers: true
> server.tomcat.internal-proxies: 127.0.0.1
> server.tomcat.protocol-header: X-Forwarded-Proto
> server.tomcat.protocol-header-https-value: https
> server.tomcat.port-header: X-Forwarded-Port
>
> Yet we see midPoint redirecting to http://.../dashboard and
> http://.../login on, as on the screenshot. When port 80 is closed,
> users can't log in. midPoint seems to ignore
> server.tomcat.protocol-header and
> server.tomcat.protocol-header-https-value.
>
> The config information is from here:
>
>
> https://wiki.evolveum.com/display/midPoint/Using+MidPoint+with+embedded+Tomcat
>
> Incidentally, there is an error in that example (the block on line
> 78-87 should be indented under server.tomcat.accesslog) but I can
> create a Jira ticket for that.
>
> Any ideas what we could do to address the issue? We want midPoint to
> know that it needs to stay on HTTPS and not generate redirects to :80.
>
> Cheers,
>
> --
>>> Zürcher Hochschule der Künste
> Zurich University of the Arts
>> Ramón Cahenzli, MSc.
> IT Architect
>> Pfingstweidstrasse 96, Postfach, 8031 Zürich
> Tel. +41 43 446 31 63, Fax +41 43 446 45 21
> ramon.cahenzli at zhdk.ch
>> http://www.zhdk.ch
> http://itz.zhdk.ch
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190826/e4354061/attachment.htm>


More information about the midPoint mailing list