[LON-CAPA-admin] running loncapa behind nginx reverse proxy

Todd Pfaff pfaff at rhpcs.mcmaster.ca
Sun Sep 12 18:06:49 EDT 2021 

Hi Stuart,

Thanks for your reply.  I've read your May 4, 2021, post and the bug id 
6914 text.  While I understand what you're saying there, I don't think it 
completely answers my questions about what should be in the lonTabs files, 
and why some of the LON-CAPA page links are using the back-end hostname 
while others are using the front-end.

However, related to what you write about HTTP_X_FORWARDED_FOR, something 
that we do on all of our Apache back-end servers that are behind our 
common Nginx reverse-proxy front-end is to add configuration for 
mod_remoteip so that Apache logs record the real client IP address, and 
Apache IP access restrictions work as expected.  This is likely something 
else that should always be added to a LON-CAPA host behind a WAF, and it's 
something I've already done on our LON-CAPA 2.11.3 deployment and it 
appears to be doing what I expected - i.e. the LON-CAPA Apache logging is 
showing the real client IP address instead of the IP address of the WAF.


Maybe it will help if I'm a bit more specific about our case.  We have a 
single LON-CAPA server host named loncapa01.rhpcs.mcmaster.ca.  That is 
the "back-end" host.  We have the hostname loncapa.mcmaster.ca as a DNS 
alias for our WAF front-end (i.e. our Nginx reverse proxy host).  We want 
all access to LON-CAPA to be via https://loncapa.mcmaster.ca and to be 
reverse-proxy-passed to the loncapa01.rhpcs.mcmaster.ca back-end.  For the 
most part this is all working fine but I find some of the LON-CAPA html 
pages get written to use the back-end hostname, and those links don't work 
properly.  So I'm wondering how to avoid the back-end hostname being used 
in these links.

I'm also wondering if I should be using the back-end or front-end hostname 
in these lonTabs/ files:

currhostips.tab
dns_hosts.tab
hosts.tab
serverhomeIDs.tab

Currently I'm using the back-end hostname in all of them and I suspect 
that's what is causing some of the links to be written using that 
hostname.  I don't remember exactly why, years ago, I used the back-end 
hostname in those files, and I'm worried that if I change them now to use 
the front-end hostname I may break something with LON-CAPA.

Or is there some other LON-CAPA setting somewhere that would solve this 
problem?

Todd


On Sun, 12 Sep 2021, Raeburn, Stuart via LON-CAPA-admin wrote:

> Todd,
>
> I posted to this mailing list in May 2021 about using a Web Application Firewall/Reverse Proxy with LON-CAPA
>
> See: mail.lon-capa.org/pipermail/lon-capa-admin/2021-May/003475.html
>
> Stuart Raeburn
> LON-CAPA Academic Consortium
> ________________________________________
> From: LON-CAPA-admin <lon-capa-admin-bounces at mail.lon-capa.org> on behalf of Todd Pfaff via LON-CAPA-admin <lon-capa-admin at mail.lon-capa.org>
> Sent: Sunday, September 12, 2021 5:38 PM
> To: lon-capa-admin at mail.lon-capa.org
> Subject: [LON-CAPA-admin] running loncapa behind nginx reverse proxy
>
> I posted this question back in 2019:
>
> http://mail.lon-capa.org/pipermail/lon-capa-admin/2019-October/003406.html
>
> but got no response so I'm trying again.
>
> We run an Nginx reverse proxy front-end server where we do all of our ssl
> termination and proxy to various back-end hosts for various web services.
> Our LON-CAPA server is one of those back-ends.
>
> I want all access to LON-CAPA to use the front-end hostname so that it
> goes through our nginx front-end but I find that some of the LON-CAPA page
> links are being written using the name of the back-end host.
>
> What do I need to tweak to avoid some of the LON-CAPA html hrefs being
> written using the back-end hostname?
>
> What hostname should be in the various lonTabs files: the front-end
> hostname or the back-end hostname?
>
> Thanks,
> Todd
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
>
>

More information about the LON-CAPA-admin mailing list