[LON-CAPA-admin] running loncapa behind nginx reverse proxy
Todd Pfaff
pfaff at rhpcs.mcmaster.ca
Sun Sep 12 18:06:49 EDT 2021
Hi Stuart,
Thanks for your reply. I've read your May 4, 2021, post and the bug id
6914 text. While I understand what you're saying there, I don't think it
completely answers my questions about what should be in the lonTabs files,
and why some of the LON-CAPA page links are using the back-end hostname
while others are using the front-end.
However, related to what you write about HTTP_X_FORWARDED_FOR, something
that we do on all of our Apache back-end servers that are behind our
common Nginx reverse-proxy front-end is to add configuration for
mod_remoteip so that Apache logs record the real client IP address, and
Apache IP access restrictions work as expected. This is likely something
else that should always be added to a LON-CAPA host behind a WAF, and it's
something I've already done on our LON-CAPA 2.11.3 deployment and it
appears to be doing what I expected - i.e. the LON-CAPA Apache logging is
showing the real client IP address instead of the IP address of the WAF.
Maybe it will help if I'm a bit more specific about our case. We have a
single LON-CAPA server host named loncapa01.rhpcs.mcmaster.ca. That is
the "back-end" host. We have the hostname loncapa.mcmaster.ca as a DNS
alias for our WAF front-end (i.e. our Nginx reverse proxy host). We want
all access to LON-CAPA to be via https://loncapa.mcmaster.ca and to be
reverse-proxy-passed to the loncapa01.rhpcs.mcmaster.ca back-end. For the
most part this is all working fine but I find some of the LON-CAPA html
pages get written to use the back-end hostname, and those links don't work
properly. So I'm wondering how to avoid the back-end hostname being used
in these links.
I'm also wondering if I should be using the back-end or front-end hostname
in these lonTabs/ files:
currhostips.tab
dns_hosts.tab
hosts.tab
serverhomeIDs.tab
Currently I'm using the back-end hostname in all of them and I suspect
that's what is causing some of the links to be written using that
hostname. I don't remember exactly why, years ago, I used the back-end
hostname in those files, and I'm worried that if I change them now to use
the front-end hostname I may break something with LON-CAPA.
Or is there some other LON-CAPA setting somewhere that would solve this
problem?
Todd
On Sun, 12 Sep 2021, Raeburn, Stuart via LON-CAPA-admin wrote:
> Todd,
>
> I posted to this mailing list in May 2021 about using a Web Application Firewall/Reverse Proxy with LON-CAPA
>
> See: mail.lon-capa.org/pipermail/lon-capa-admin/2021-May/003475.html
>
> Stuart Raeburn
> LON-CAPA Academic Consortium
> ________________________________________
> From: LON-CAPA-admin <lon-capa-admin-bounces at mail.lon-capa.org> on behalf of Todd Pfaff via LON-CAPA-admin <lon-capa-admin at mail.lon-capa.org>
> Sent: Sunday, September 12, 2021 5:38 PM
> To: lon-capa-admin at mail.lon-capa.org
> Subject: [LON-CAPA-admin] running loncapa behind nginx reverse proxy
>
> I posted this question back in 2019:
>
> http://mail.lon-capa.org/pipermail/lon-capa-admin/2019-October/003406.html
>
> but got no response so I'm trying again.
>
> We run an Nginx reverse proxy front-end server where we do all of our ssl
> termination and proxy to various back-end hosts for various web services.
> Our LON-CAPA server is one of those back-ends.
>
> I want all access to LON-CAPA to use the front-end hostname so that it
> goes through our nginx front-end but I find that some of the LON-CAPA page
> links are being written using the name of the back-end host.
>
> What do I need to tweak to avoid some of the LON-CAPA html hrefs being
> written using the back-end hostname?
>
> What hostname should be in the various lonTabs files: the front-end
> hostname or the back-end hostname?
>
> Thanks,
> Todd
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
>
>
More information about the LON-CAPA-admin
mailing list