[LON-CAPA-admin] running loncapa behind nginx reverse proxy
raeburn at msu.edu
Sun Sep 12 20:51:30 EDT 2021
> .. configuration for mod_remoteip so that Apache logs record the
> real client IP address, and Apache IP access restrictions work as expected.
> This is likely something else that should always be added to a LON-CAPA
> host behind a WAF,
As described in the documentation for WAF/Reverse Proxy support in LON-CAPA, at msuoutreach.loncapa.org/adm/help/Domain_Configuration_WAF_Proxy.hlp , a Domain Coordinator will have the option of setting the configuration for use of (a) mod_remoteip, (b) headers parsed by LON-CAPA, or (c) neither.
> I'm also wondering if I should be using the back-end or front-end hostname
> in these lonTabs/ files ...
For these four files:
the entries in currhostips.tab and serverhomeIDs.tab are written by the nightly run of /home/httpd/perl/loncron (run as user www) based on what is in hosts.tab and what is retrieved from the authoritative "DNS" server for the LON-CAPA cluster to which you LON-CAPA server belongs.
Accordingly, currhostips.tab and serverhomeIDs.tab are not files that need to be edited.
LON-CAPA would expect "back-end" hostnames in hosts.tab and dns_hosts.tab
In the case of a single standalone LON-CAPA library server the second line of hosts.tab and the single line in dns_hosts.tab should be the same, since for a standalone library server the server is its own "DNS" server, i.e., the first line in hosts.tab will point at the server's own hostname.
When a LON-CAPA server is part of a cluster of LON-CAPA nodes then the hostnames in hosts.tab (and dns_hosts.tab on a LON-CAPA "DNS" server in the cluster) must be the actual hostnames, since "internal" LON-CAPA connections (which use port 5663) are likely not supported when routed via the WAF/Reverse Proxy.
In addition, content replication between LON-CAPA nodes, which uses LWP web requests, requires that the LWP request made to another LON-CAPA node is to the IP address of the actual server (and is identified as originating from the actual IP address of the LON-CAPA server making the request).
> For the most part this is all working fine but I find some of the LON-CAPA
> html pages get written to use the back-end hostname, and those links don't
> work properly.
In the comments I posted to bug 6914 to document LON-CAPA perl module version changes needed to support WAF functionality I see a total of 36 files required modification. I expect some of those changes address the problem of broken links in some pages when a WAF/reverse proxy is in use with the current 2.11.2 or 2.11.3 LON-CAPA release.
Although a standalone LON-CAPA library server does not need to connect to other LON-CAPA nodes, use of "front-end" hostnames in hosts.tab and dns_hosts.tab might compromise security.
The "front-end" hostname: loncapa.mcmaster.ca resolves to IP address: 184.108.40.206,
but that IP address is a pointer for five different web sites.
LON-CAPA Academic Consortium
From: Todd Pfaff <pfaff at rhpcs.mcmaster.ca>
Sent: Sunday, September 12, 2021 6:06 PM
To: Raeburn, Stuart; lon-capa-admin at mail.lon-capa.org
Subject: Re: [LON-CAPA-admin] running loncapa behind nginx reverse proxy
Thanks for your reply. I've read your May 4, 2021, post and the bug id
6914 text. While I understand what you're saying there, I don't think it
completely answers my questions about what should be in the lonTabs files,
and why some of the LON-CAPA page links are using the back-end hostname
while others are using the front-end.
However, related to what you write about HTTP_X_FORWARDED_FOR, something
that we do on all of our Apache back-end servers that are behind our
common Nginx reverse-proxy front-end is to add configuration for
mod_remoteip so that Apache logs record the real client IP address, and
Apache IP access restrictions work as expected. This is likely something
else that should always be added to a LON-CAPA host behind a WAF, and it's
something I've already done on our LON-CAPA 2.11.3 deployment and it
appears to be doing what I expected - i.e. the LON-CAPA Apache logging is
showing the real client IP address instead of the IP address of the WAF.
Maybe it will help if I'm a bit more specific about our case. We have a
single LON-CAPA server host named loncapa01.rhpcs.mcmaster.ca. That is
the "back-end" host. We have the hostname loncapa.mcmaster.ca as a DNS
alias for our WAF front-end (i.e. our Nginx reverse proxy host). We want
all access to LON-CAPA to be via https://urldefense.com/v3/__https://loncapa.mcmaster.ca__;!!HXCxUKc!kbcMs3-2mXSkWUgK5hJ6g899SflBuCzkN-4LFCvhqf_5jGjO8gLnzrNbv8aXSA$ and to be
reverse-proxy-passed to the loncapa01.rhpcs.mcmaster.ca back-end. For the
most part this is all working fine but I find some of the LON-CAPA html
pages get written to use the back-end hostname, and those links don't work
properly. So I'm wondering how to avoid the back-end hostname being used
in these links.
I'm also wondering if I should be using the back-end or front-end hostname
in these lonTabs/ files:
Currently I'm using the back-end hostname in all of them and I suspect
that's what is causing some of the links to be written using that
hostname. I don't remember exactly why, years ago, I used the back-end
hostname in those files, and I'm worried that if I change them now to use
the front-end hostname I may break something with LON-CAPA.
Or is there some other LON-CAPA setting somewhere that would solve this
On Sun, 12 Sep 2021, Raeburn, Stuart via LON-CAPA-admin wrote:
> I posted to this mailing list in May 2021 about using a Web Application Firewall/Reverse Proxy with LON-CAPA
> See: mail.lon-capa.org/pipermail/lon-capa-admin/2021-May/003475.html
> Stuart Raeburn
> LON-CAPA Academic Consortium
> From: LON-CAPA-admin <lon-capa-admin-bounces at mail.lon-capa.org> on behalf of Todd Pfaff via LON-CAPA-admin <lon-capa-admin at mail.lon-capa.org>
> Sent: Sunday, September 12, 2021 5:38 PM
> To: lon-capa-admin at mail.lon-capa.org
> Subject: [LON-CAPA-admin] running loncapa behind nginx reverse proxy
> I posted this question back in 2019:
> but got no response so I'm trying again.
> We run an Nginx reverse proxy front-end server where we do all of our ssl
> termination and proxy to various back-end hosts for various web services.
> Our LON-CAPA server is one of those back-ends.
> I want all access to LON-CAPA to use the front-end hostname so that it
> goes through our nginx front-end but I find that some of the LON-CAPA page
> links are being written using the name of the back-end host.
> What do I need to tweak to avoid some of the LON-CAPA html hrefs being
> written using the back-end hostname?
> What hostname should be in the various lonTabs files: the front-end
> hostname or the back-end hostname?
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
More information about the LON-CAPA-admin