[LON-CAPA-admin] running loncapa behind nginx reverse proxy

Todd Pfaff pfaff at rhpcs.mcmaster.ca
Sun Sep 12 21:34:40 EDT 2021


On Mon, 13 Sep 2021, Raeburn, Stuart via LON-CAPA-admin wrote:

> but that IP address is a pointer for five different web sites.

About two hundred actually, not five.  What's important is that the one 
name, loncapa.mcmaster.ca, served by that front-end IP address is routed 
by the front-end server to the proper back-end server, just as is the case 
for the other 199 sites of all sorts imagineable.

We've been running LON-CAPA this way for several years and it has worked 
well enough as is so I'm not in a rush to change anything.  I'm happy to 
hear that you've got changes in the pipeline to support this sort of 
configuration and that will eventually smooth out some of the rough edges 
in our deployment.

--
Todd Pfaff <pfaff at mcmaster.ca>
Technical Director
Research & High-Performance Computing Support
https://rhpcs.mcmaster.ca/



On Mon, 13 Sep 2021, Raeburn, Stuart via LON-CAPA-admin wrote:

> Todd,
>
>>
>> .. configuration for mod_remoteip so that Apache logs record the
>> real client IP address, and Apache IP access restrictions work as expected.
>> This is likely something else that should always be added to a LON-CAPA
>> host behind a WAF,
>>
>
> As described in the documentation for WAF/Reverse Proxy support in LON-CAPA, at msuoutreach.loncapa.org/adm/help/Domain_Configuration_WAF_Proxy.hlp , a Domain Coordinator will have the option of setting the configuration for use of (a) mod_remoteip, (b) headers parsed by LON-CAPA, or (c) neither.
>
>>
>> I'm also wondering if I should be using the back-end or front-end hostname
>> in these lonTabs/ files ...
>>
>
> For these four files:
>
> currhostips.tab
> dns_hosts.tab
> hosts.tab
> serverhomeIDs.tab
>
> the entries in currhostips.tab and serverhomeIDs.tab are written by the nightly run of /home/httpd/perl/loncron (run as user www) based on what is in hosts.tab and what is retrieved from the authoritative "DNS" server for the LON-CAPA cluster to which you LON-CAPA server belongs.
>
> Accordingly, currhostips.tab and serverhomeIDs.tab are not files that need to be edited.
>
> LON-CAPA would expect "back-end" hostnames in hosts.tab and dns_hosts.tab
>
> In the case of a single standalone LON-CAPA library server the second line of hosts.tab and the single line in dns_hosts.tab should be the same, since for a standalone library server the server is its own "DNS" server, i.e., the first line in hosts.tab will point at the server's own hostname.
>
> When a LON-CAPA server is part of a cluster of LON-CAPA nodes then the hostnames in hosts.tab (and dns_hosts.tab on a LON-CAPA "DNS" server in the cluster) must be the actual hostnames, since "internal" LON-CAPA connections (which use port 5663) are likely not supported when routed via the WAF/Reverse Proxy.
>
> In addition, content replication between LON-CAPA nodes, which uses LWP web requests, requires that the LWP request made to another LON-CAPA node is to the IP address of the actual server (and is identified as originating from the actual IP address of the LON-CAPA server making the request).
>
>>
>>  For the most part this is all working fine but I find some of the LON-CAPA
>> html pages get written to use the back-end hostname, and those links don't
>> work properly.
>>
>
> In the comments I posted to bug 6914 to document LON-CAPA perl module version changes needed to support WAF functionality I see a total of 36 files required modification.  I expect some of those changes address the problem of broken links in some pages when a WAF/reverse proxy is in use with the current 2.11.2 or 2.11.3 LON-CAPA release.
>
> Although a standalone LON-CAPA library server does not need to connect to other LON-CAPA nodes, use of "front-end" hostnames in hosts.tab and dns_hosts.tab might  compromise security.
>
> The "front-end" hostname: loncapa.mcmaster.ca resolves to IP address: 130.113.48.15,
> but that IP address is a pointer for five different web sites.
>
> Stuart Raeburn
> LON-CAPA Academic Consortium
> ________________________________________
> From: Todd Pfaff <pfaff at rhpcs.mcmaster.ca>
> Sent: Sunday, September 12, 2021 6:06 PM
> To: Raeburn, Stuart; lon-capa-admin at mail.lon-capa.org
> Subject: Re: [LON-CAPA-admin] running loncapa behind nginx reverse proxy
>
> Hi Stuart,
>
> Thanks for your reply.  I've read your May 4, 2021, post and the bug id
> 6914 text.  While I understand what you're saying there, I don't think it
> completely answers my questions about what should be in the lonTabs files,
> and why some of the LON-CAPA page links are using the back-end hostname
> while others are using the front-end.
>
> However, related to what you write about HTTP_X_FORWARDED_FOR, something
> that we do on all of our Apache back-end servers that are behind our
> common Nginx reverse-proxy front-end is to add configuration for
> mod_remoteip so that Apache logs record the real client IP address, and
> Apache IP access restrictions work as expected.  This is likely something
> else that should always be added to a LON-CAPA host behind a WAF, and it's
> something I've already done on our LON-CAPA 2.11.3 deployment and it
> appears to be doing what I expected - i.e. the LON-CAPA Apache logging is
> showing the real client IP address instead of the IP address of the WAF.
>
>
> Maybe it will help if I'm a bit more specific about our case.  We have a
> single LON-CAPA server host named loncapa01.rhpcs.mcmaster.ca.  That is
> the "back-end" host.  We have the hostname loncapa.mcmaster.ca as a DNS
> alias for our WAF front-end (i.e. our Nginx reverse proxy host).  We want
> all access to LON-CAPA to be via https://urldefense.com/v3/__https://loncapa.mcmaster.ca__;!!HXCxUKc!kbcMs3-2mXSkWUgK5hJ6g899SflBuCzkN-4LFCvhqf_5jGjO8gLnzrNbv8aXSA$  and to be
> reverse-proxy-passed to the loncapa01.rhpcs.mcmaster.ca back-end.  For the
> most part this is all working fine but I find some of the LON-CAPA html
> pages get written to use the back-end hostname, and those links don't work
> properly.  So I'm wondering how to avoid the back-end hostname being used
> in these links.
>
> I'm also wondering if I should be using the back-end or front-end hostname
> in these lonTabs/ files:
>
> currhostips.tab
> dns_hosts.tab
> hosts.tab
> serverhomeIDs.tab
>
> Currently I'm using the back-end hostname in all of them and I suspect
> that's what is causing some of the links to be written using that
> hostname.  I don't remember exactly why, years ago, I used the back-end
> hostname in those files, and I'm worried that if I change them now to use
> the front-end hostname I may break something with LON-CAPA.
>
> Or is there some other LON-CAPA setting somewhere that would solve this
> problem?
>
> Todd
>
>
> On Sun, 12 Sep 2021, Raeburn, Stuart via LON-CAPA-admin wrote:
>
>> Todd,
>>
>> I posted to this mailing list in May 2021 about using a Web Application Firewall/Reverse Proxy with LON-CAPA
>>
>> See: mail.lon-capa.org/pipermail/lon-capa-admin/2021-May/003475.html
>>
>> Stuart Raeburn
>> LON-CAPA Academic Consortium
>> ________________________________________
>> From: LON-CAPA-admin <lon-capa-admin-bounces at mail.lon-capa.org> on behalf of Todd Pfaff via LON-CAPA-admin <lon-capa-admin at mail.lon-capa.org>
>> Sent: Sunday, September 12, 2021 5:38 PM
>> To: lon-capa-admin at mail.lon-capa.org
>> Subject: [LON-CAPA-admin] running loncapa behind nginx reverse proxy
>>
>> I posted this question back in 2019:
>>
>> http://mail.lon-capa.org/pipermail/lon-capa-admin/2019-October/003406.html
>>
>> but got no response so I'm trying again.
>>
>> We run an Nginx reverse proxy front-end server where we do all of our ssl
>> termination and proxy to various back-end hosts for various web services.
>> Our LON-CAPA server is one of those back-ends.
>>
>> I want all access to LON-CAPA to use the front-end hostname so that it
>> goes through our nginx front-end but I find that some of the LON-CAPA page
>> links are being written using the name of the back-end host.
>>
>> What do I need to tweak to avoid some of the LON-CAPA html hrefs being
>> written using the back-end hostname?
>>
>> What hostname should be in the various lonTabs files: the front-end
>> hostname or the back-end hostname?
>>
>> Thanks,
>> Todd
>> _______________________________________________
>> LON-CAPA-admin mailing list
>> LON-CAPA-admin at mail.lon-capa.org
>> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
>> _______________________________________________
>> LON-CAPA-admin mailing list
>> LON-CAPA-admin at mail.lon-capa.org
>> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
>>
>>
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
>
>


More information about the LON-CAPA-admin mailing list