[LON-CAPA-admin] running loncapa behind nginx reverse proxy

Raeburn, Stuart raeburn at msu.edu
Sun Sep 12 20:51:30 EDT 2021 

Todd,

>
> .. configuration for mod_remoteip so that Apache logs record the 
> real client IP address, and Apache IP access restrictions work as expected. 
> This is likely something else that should always be added to a LON-CAPA 
> host behind a WAF, 
>

As described in the documentation for WAF/Reverse Proxy support in LON-CAPA, at msuoutreach.loncapa.org/adm/help/Domain_Configuration_WAF_Proxy.hlp , a Domain Coordinator will have the option of setting the configuration for use of (a) mod_remoteip, (b) headers parsed by LON-CAPA, or (c) neither. 

>
> I'm also wondering if I should be using the back-end or front-end hostname
> in these lonTabs/ files ...
>

For these four files:

currhostips.tab
dns_hosts.tab
hosts.tab
serverhomeIDs.tab 

the entries in currhostips.tab and serverhomeIDs.tab are written by the nightly run of /home/httpd/perl/loncron (run as user www) based on what is in hosts.tab and what is retrieved from the authoritative "DNS" server for the LON-CAPA cluster to which you LON-CAPA server belongs.

Accordingly, currhostips.tab and serverhomeIDs.tab are not files that need to be edited.

LON-CAPA would expect "back-end" hostnames in hosts.tab and dns_hosts.tab

In the case of a single standalone LON-CAPA library server the second line of hosts.tab and the single line in dns_hosts.tab should be the same, since for a standalone library server the server is its own "DNS" server, i.e., the first line in hosts.tab will point at the server's own hostname.

When a LON-CAPA server is part of a cluster of LON-CAPA nodes then the hostnames in hosts.tab (and dns_hosts.tab on a LON-CAPA "DNS" server in the cluster) must be the actual hostnames, since "internal" LON-CAPA connections (which use port 5663) are likely not supported when routed via the WAF/Reverse Proxy.  

In addition, content replication between LON-CAPA nodes, which uses LWP web requests, requires that the LWP request made to another LON-CAPA node is to the IP address of the actual server (and is identified as originating from the actual IP address of the LON-CAPA server making the request).

>
>  For the most part this is all working fine but I find some of the LON-CAPA 
> html pages get written to use the back-end hostname, and those links don't 
> work properly. 
>

In the comments I posted to bug 6914 to document LON-CAPA perl module version changes needed to support WAF functionality I see a total of 36 files required modification.  I expect some of those changes address the problem of broken links in some pages when a WAF/reverse proxy is in use with the current 2.11.2 or 2.11.3 LON-CAPA release.

Although a standalone LON-CAPA library server does not need to connect to other LON-CAPA nodes, use of "front-end" hostnames in hosts.tab and dns_hosts.tab might  compromise security.

The "front-end" hostname: loncapa.mcmaster.ca resolves to IP address: 130.113.48.15,
but that IP address is a pointer for five different web sites.

Stuart Raeburn
LON-CAPA Academic Consortium
________________________________________
From: Todd Pfaff <pfaff at rhpcs.mcmaster.ca>
Sent: Sunday, September 12, 2021 6:06 PM
To: Raeburn, Stuart; lon-capa-admin at mail.lon-capa.org
Subject: Re: [LON-CAPA-admin] running loncapa behind nginx reverse proxy

Hi Stuart,

Thanks for your reply.  I've read your May 4, 2021, post and the bug id
6914 text.  While I understand what you're saying there, I don't think it
completely answers my questions about what should be in the lonTabs files,
and why some of the LON-CAPA page links are using the back-end hostname
while others are using the front-end.

However, related to what you write about HTTP_X_FORWARDED_FOR, something
that we do on all of our Apache back-end servers that are behind our
common Nginx reverse-proxy front-end is to add configuration for
mod_remoteip so that Apache logs record the real client IP address, and
Apache IP access restrictions work as expected.  This is likely something
else that should always be added to a LON-CAPA host behind a WAF, and it's
something I've already done on our LON-CAPA 2.11.3 deployment and it
appears to be doing what I expected - i.e. the LON-CAPA Apache logging is
showing the real client IP address instead of the IP address of the WAF.


Maybe it will help if I'm a bit more specific about our case.  We have a
single LON-CAPA server host named loncapa01.rhpcs.mcmaster.ca.  That is
the "back-end" host.  We have the hostname loncapa.mcmaster.ca as a DNS
alias for our WAF front-end (i.e. our Nginx reverse proxy host).  We want
all access to LON-CAPA to be via https://urldefense.com/v3/__https://loncapa.mcmaster.ca__;!!HXCxUKc!kbcMs3-2mXSkWUgK5hJ6g899SflBuCzkN-4LFCvhqf_5jGjO8gLnzrNbv8aXSA$  and to be
reverse-proxy-passed to the loncapa01.rhpcs.mcmaster.ca back-end.  For the
most part this is all working fine but I find some of the LON-CAPA html
pages get written to use the back-end hostname, and those links don't work
properly.  So I'm wondering how to avoid the back-end hostname being used
in these links.

I'm also wondering if I should be using the back-end or front-end hostname
in these lonTabs/ files:

currhostips.tab
dns_hosts.tab
hosts.tab
serverhomeIDs.tab

Currently I'm using the back-end hostname in all of them and I suspect
that's what is causing some of the links to be written using that
hostname.  I don't remember exactly why, years ago, I used the back-end
hostname in those files, and I'm worried that if I change them now to use
the front-end hostname I may break something with LON-CAPA.

Or is there some other LON-CAPA setting somewhere that would solve this
problem?

Todd


On Sun, 12 Sep 2021, Raeburn, Stuart via LON-CAPA-admin wrote:

> Todd,
>
> I posted to this mailing list in May 2021 about using a Web Application Firewall/Reverse Proxy with LON-CAPA
>
> See: mail.lon-capa.org/pipermail/lon-capa-admin/2021-May/003475.html
>
> Stuart Raeburn
> LON-CAPA Academic Consortium
> ________________________________________
> From: LON-CAPA-admin <lon-capa-admin-bounces at mail.lon-capa.org> on behalf of Todd Pfaff via LON-CAPA-admin <lon-capa-admin at mail.lon-capa.org>
> Sent: Sunday, September 12, 2021 5:38 PM
> To: lon-capa-admin at mail.lon-capa.org
> Subject: [LON-CAPA-admin] running loncapa behind nginx reverse proxy
>
> I posted this question back in 2019:
>
> http://mail.lon-capa.org/pipermail/lon-capa-admin/2019-October/003406.html
>
> but got no response so I'm trying again.
>
> We run an Nginx reverse proxy front-end server where we do all of our ssl
> termination and proxy to various back-end hosts for various web services.
> Our LON-CAPA server is one of those back-ends.
>
> I want all access to LON-CAPA to use the front-end hostname so that it
> goes through our nginx front-end but I find that some of the LON-CAPA page
> links are being written using the name of the back-end host.
>
> What do I need to tweak to avoid some of the LON-CAPA html hrefs being
> written using the back-end hostname?
>
> What hostname should be in the various lonTabs files: the front-end
> hostname or the back-end hostname?
>
> Thanks,
> Todd
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
>
>

More information about the LON-CAPA-admin mailing list