
<html>


<head>


<meta http-equiv="Content-Type" content="text/html; charset=utf-8">


</head>


<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">


I spent several hours on this a couple of weeks ago trying to get it to work. I finally gave up and configured MidPoint to do its own SSL, then put Apache in front of it as a proxy (because I wanted to listen on port 443, but didn’t want to run MidPoint as


 root). That works, though it’s a hack. But since MidPoint “knows” that it’s running using SSL, it doesn’t try to rewrite the URLs back to HTTP


<div class=""><br class="">


</div>


<div class="">In order to get SSL to work, I had to add my own self-signed cert to MidPoint’s keystore, then put the following in the application.yml file:</div>


<div class=""><br class="">


</div>


<div class="">


<div class="">server.port: 8443</div>


<div class="">server.ssl.key-store: /midpoint/var/keystore.jceks</div>


<div class="">server.ssl.key-store-password: xxxxxxxxx</div>


<div class="">server.ssl.keyStoreType: jceks</div>


<div class="">server.ssl.keyAlias: tomcat</div>


<div><br class="">


<blockquote type="cite" class="">


<div class="">On Aug 26, 2019, at 5:08 AM, Ramón Cahenzli <<a href="mailto:ramon.cahenzli@zhdk.ch" class="">ramon.cahenzli@zhdk.ch</a>> wrote:</div>


<br class="Apple-interchange-newline">


<div class="">


<div class="">Hi everyone,<br class="">


<br class="">


It seems I spoke too soon when I said reverse proxying midPoint now<br class="">


works for us. I've talked about this earlier and Stacy Brock had a<br class="">


solution for Apache that seemed to work:<br class="">


<br class="">


 RewriteEngine on<br class="">


 RewriteRule ^/$ /midpoint/ [R,L]<br class="">


 RewriteRule ^/midpoint$ /midpoint/ [R,L]<br class="">


<br class="">


 ProxyPreserveHost on<br class="">


 RequestHeader set X-Forwarded-Proto https<br class="">


 RequestHeader set X-Forwarded-Port 443<br class="">


 ProxyPass "/midpoint/" "<a href="http://127.0.0.1:8080/midpoint/" class="">http://127.0.0.1:8080/midpoint/</a>"<br class="">


 ProxyPassReverse "/midpoint/" "<a href="http://127.0.0.1:8080/midpoint/" class="">http://127.0.0.1:8080/midpoint/</a>"<br class="">


 # midPoint can be slow to respond, so we set the timeout to 10 minutes<br class="">


 ProxyTimeout 600<br class="">


<br class="">


But midPoint itself still generates redirects to HTTP on port 80<br class="">


instead of using the information from X-Forwarded-Proto and<br class="">


X-Forwarded-Port as instructed.<br class="">


<br class="">


In application.yml we configure:<br class="">


<br class="">


server.address: 127.0.0.1<br class="">


server.port: 8080<br class="">


server.session.timeout: 60<br class="">


server.use-forward-headers: true<br class="">


server.tomcat.internal-proxies: 127.0.0.1<br class="">


server.tomcat.protocol-header: X-Forwarded-Proto<br class="">


server.tomcat.protocol-header-https-value: https<br class="">


server.tomcat.port-header: X-Forwarded-Port<br class="">


<br class="">


Yet we see midPoint redirecting to <a href="http://.../dashboard" class="">http://.../dashboard</a> and<br class="">


<a href="http://.../login" class="">http://.../login</a> on, as on the screenshot. When port 80 is closed,<br class="">


users can't log in. midPoint seems to ignore<br class="">


server.tomcat.protocol-header and<br class="">


server.tomcat.protocol-header-https-value.<br class="">


<br class="">


The config information is from here:<br class="">


<br class="">


<a href="https://wiki.evolveum.com/display/midPoint/Using+MidPoint+with+embedded+Tomcat" class="">https://wiki.evolveum.com/display/midPoint/Using+MidPoint+with+embedded+Tomcat</a><br class="">


<br class="">


Incidentally, there is an error in that example (the block on line<br class="">


78-87 should be indented under server.tomcat.accesslog) but I can<br class="">


create a Jira ticket for that.<br class="">


<br class="">


Any ideas what we could do to address the issue? We want midPoint to<br class="">


know that it needs to stay on HTTPS and not generate redirects to :80.<br class="">


<br class="">


Cheers,<br class="">


<br class="">


-- <br class="">


—<br class="">


—<br class="">


Zürcher Hochschule der Künste<br class="">


Zurich University of the Arts<br class="">


—<br class="">


Ramón Cahenzli, MSc.<br class="">


IT Architect<br class="">


—<br class="">


Pfingstweidstrasse 96, Postfach, 8031 Zürich<br class="">


Tel. +41 43 446 31 63, Fax +41 43 446 45 21<br class="">


ramon.cahenzli@zhdk.ch<br class="">


—<br class="">


http://www.zhdk.ch<br class="">


http://itz.zhdk.ch<br class="">


<span id="cid:CFAD4A8C-70EA-4F81-831B-1328E5F2142F@burnaby.sfu.ca"><reverse_proxy_midpoint.png></span>_______________________________________________<br class="">


midPoint mailing list<br class="">


midPoint@lists.evolveum.com<br class="">


http://lists.evolveum.com/mailman/listinfo/midpoint<br class="">


</div>


</div>


</blockquote>


</div>


<br class="">


<div class=""><b style="font-family: Calibri, sans-serif; font-size: 15px;" class="">Steve Hillman </b><span style="font-size: 10pt; font-family: Arial, sans-serif;" class=""><br class="">


</span><span style="font-size: 9pt; font-family: Arial, sans-serif;" class="">IT Architect | IT Services</span><span style="font-size: 10pt; font-family: Arial, sans-serif;" class=""><br class="">


</span><span style="font-size: 9pt; font-family: Arial, sans-serif;" class="">SH1032 | Simon Fraser University </span><span style="font-size: 10pt; font-family: Arial, sans-serif;" class=""><br class="">


</span><span style="font-size: 9pt; font-family: Arial, sans-serif;" class="">8888 University Dr., Burnaby, B.C. V5A 1S6</span><br class="">


T: 778.782.3960 | M: 604.306.3366 | <a href="http://www.sfu.ca/itservices" class="">


www.sfu.ca/itservices</a><br class="">


Twitter: @sfu_it </div>


<br class="">


</div>


</body>


</html>