<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">
I spent several hours on this a couple of weeks ago trying to get it to work. I finally gave up and configured MidPoint to do its own SSL, then put Apache in front of it as a proxy (because I wanted to listen on port 443, but didn’t want to run MidPoint as
 root). That works, though it’s a hack. But since MidPoint “knows” that it’s running using SSL, it doesn’t try to rewrite the URLs back to HTTP
<div class=""><br class="">
</div>
<div class="">In order to get SSL to work, I had to add my own self-signed cert to MidPoint’s keystore, then put the following in the application.yml file:</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">server.port: 8443</div>
<div class="">server.ssl.key-store: /midpoint/var/keystore.jceks</div>
<div class="">server.ssl.key-store-password: xxxxxxxxx</div>
<div class="">server.ssl.keyStoreType: jceks</div>
<div class="">server.ssl.keyAlias: tomcat</div>
<div><br class="">
<blockquote type="cite" class="">
<div class="">On Aug 26, 2019, at 5:08 AM, Ramón Cahenzli <<a href="mailto:ramon.cahenzli@zhdk.ch" class="">ramon.cahenzli@zhdk.ch</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="">Hi everyone,<br class="">
<br class="">
It seems I spoke too soon when I said reverse proxying midPoint now<br class="">
works for us. I've talked about this earlier and Stacy Brock had a<br class="">
solution for Apache that seemed to work:<br class="">
<br class="">
 RewriteEngine on<br class="">
 RewriteRule ^/$ /midpoint/ [R,L]<br class="">
 RewriteRule ^/midpoint$ /midpoint/ [R,L]<br class="">
<br class="">
 ProxyPreserveHost on<br class="">
 RequestHeader set X-Forwarded-Proto https<br class="">
 RequestHeader set X-Forwarded-Port 443<br class="">
 ProxyPass "/midpoint/" "<a href="http://127.0.0.1:8080/midpoint/" class="">http://127.0.0.1:8080/midpoint/</a>"<br class="">
 ProxyPassReverse "/midpoint/" "<a href="http://127.0.0.1:8080/midpoint/" class="">http://127.0.0.1:8080/midpoint/</a>"<br class="">
 # midPoint can be slow to respond, so we set the timeout to 10 minutes<br class="">
 ProxyTimeout 600<br class="">
<br class="">
But midPoint itself still generates redirects to HTTP on port 80<br class="">
instead of using the information from X-Forwarded-Proto and<br class="">
X-Forwarded-Port as instructed.<br class="">
<br class="">
In application.yml we configure:<br class="">
<br class="">
server.address: 127.0.0.1<br class="">
server.port: 8080<br class="">
server.session.timeout: 60<br class="">
server.use-forward-headers: true<br class="">
server.tomcat.internal-proxies: 127.0.0.1<br class="">
server.tomcat.protocol-header: X-Forwarded-Proto<br class="">
server.tomcat.protocol-header-https-value: https<br class="">
server.tomcat.port-header: X-Forwarded-Port<br class="">
<br class="">
Yet we see midPoint redirecting to <a href="http://.../dashboard" class="">http://.../dashboard</a> and<br class="">
<a href="http://.../login" class="">http://.../login</a> on, as on the screenshot. When port 80 is closed,<br class="">
users can't log in. midPoint seems to ignore<br class="">
server.tomcat.protocol-header and<br class="">
server.tomcat.protocol-header-https-value.<br class="">
<br class="">
The config information is from here:<br class="">
<br class="">
<a href="https://wiki.evolveum.com/display/midPoint/Using+MidPoint+with+embedded+Tomcat" class="">https://wiki.evolveum.com/display/midPoint/Using+MidPoint+with+embedded+Tomcat</a><br class="">
<br class="">
Incidentally, there is an error in that example (the block on line<br class="">
78-87 should be indented under server.tomcat.accesslog) but I can<br class="">
create a Jira ticket for that.<br class="">
<br class="">
Any ideas what we could do to address the issue? We want midPoint to<br class="">
know that it needs to stay on HTTPS and not generate redirects to :80.<br class="">
<br class="">
Cheers,<br class="">
<br class="">
-- <br class="">
—<br class="">
—<br class="">
Zürcher Hochschule der Künste<br class="">
Zurich University of the Arts<br class="">
—<br class="">
Ramón Cahenzli, MSc.<br class="">
IT Architect<br class="">
—<br class="">
Pfingstweidstrasse 96, Postfach, 8031 Zürich<br class="">
Tel. +41 43 446 31 63, Fax +41 43 446 45 21<br class="">
ramon.cahenzli@zhdk.ch<br class="">
—<br class="">
http://www.zhdk.ch<br class="">
http://itz.zhdk.ch<br class="">
<span id="cid:CFAD4A8C-70EA-4F81-831B-1328E5F2142F@burnaby.sfu.ca"><reverse_proxy_midpoint.png></span>_______________________________________________<br class="">
midPoint mailing list<br class="">
midPoint@lists.evolveum.com<br class="">
http://lists.evolveum.com/mailman/listinfo/midpoint<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
<div class=""><b style="font-family: Calibri, sans-serif; font-size: 15px;" class="">Steve Hillman </b><span style="font-size: 10pt; font-family: Arial, sans-serif;" class=""><br class="">
</span><span style="font-size: 9pt; font-family: Arial, sans-serif;" class="">IT Architect | IT Services</span><span style="font-size: 10pt; font-family: Arial, sans-serif;" class=""><br class="">
</span><span style="font-size: 9pt; font-family: Arial, sans-serif;" class="">SH1032 | Simon Fraser University </span><span style="font-size: 10pt; font-family: Arial, sans-serif;" class=""><br class="">
</span><span style="font-size: 9pt; font-family: Arial, sans-serif;" class="">8888 University Dr., Burnaby, B.C. V5A 1S6</span><br class="">
T: 778.782.3960 | M: 604.306.3366 | <a href="http://www.sfu.ca/itservices" class="">
www.sfu.ca/itservices</a><br class="">
Twitter: @sfu_it </div>
<br class="">
</div>
</body>
</html>