Operation behind Reverse Proxy or similar

author	version	line-number	content
1	If the application server (e.g. Apache Tomcat) on which {{formcycle/}} is installed is running behind another server, e.g. a reverse proxy, a load balancer or similar, it should be checked that the information of a request is passed on to it unchanged. In concrete terms this means that both the //Host// header and the protocol used must be passed on unchanged by the intermediate servers. In most standard configurations, however, this is not the case because the requests are received by the intermediate server and sent to the application server as a new request.
2
3	{{figure image="proxy_en.jpg"}}
4	Manipulation of the host and the protocol by a reverse proxy.
5	{{/figure}}
6
7	The problematic scenario (see figure) is the following:
8
9	1. The user calls the URL {{code language="none"}}https://www.example.com/formcycle{{/code}}.
10	1. The request is received and evaluated by the intermediate server.
11	1. The intermediate server makes a new request to the designated server. However, since an internal request is made here, the call URL is changed to {{code language="none"}}http://192.168.0.1/formcycle{{/code}}. This URL now arrives at the application server and no longer contains the required information about which URL was actually called by the user.
12
13	{{info}}
14	Since {{formcycle/}} interprets the original request URL of the user, especially when logging into a form, and this URL may not be determined correctly, it is necessary to configure intermediate servers accordingly. Make sure that both the HTTP header //Host// and the protocol used (//HTTP //or //HTTPS//) are forwarded unchanged. Also, the correct forwarding of WebSocket connections must be provided. Alternatively to the concret protocols, the intermediate server can also use //X-Forwarded// headers to indicate which protocol the request used originally.
15	{{/info}}
16
17	== Example configuration Apache ==
18
19	For the correct configuration of an Apache server, which acts as a reverse proxy, three points are relevant and have to be stored e.g. in the configuration of the VirtualHosts:
20
21	1. The instruction {{code language="none"}}ProxyPreserveHost On{{/code}} to get the originally called //Host// header
22	1. The separation of the individual protocols and its usage when forwarding to the application server. This means that for //HTTP// and //HTTPS// a separate VirtualHost with appropriate configuration must be used.
23	1. Configuration of the conditional RewriteRule for the forwarding of WebSocket connections via WS and WSS. By default, FORMCYCLE uses the corresponding ports of the servlet container (WS port = HTTP port, WSS port = HTTPS port).
24
25	This configuration, as well as any settings that may be necessary when using self-generated certificates, is briefly illustrated here:
26
27	(((
28	{{code language="none"}}
29	<VirtualHost www.example.com:80>
30	...
31	# Enables retention of the originally called host up to the application server.
32	ProxyPreserveHost On
33	...
34	# Forwarding via HTTP
35	ProxyPass / http://192.168.0.1/
36	ProxyPassReverse / http://192.168.0.1/
37	...
38	# Forwarding of websocket-connections via WS
39	RewriteEngine on
40	RewriteCond %{HTTP:Upgrade} websocket [NC]
41	RewriteCond %{HTTP:Connection} upgrade [NC]
42	RewriteRule ^/?(.*) "ws://192.168.0.1:80/$1" [P,L]
43	</VirtualHost>
44
45	<IfModule mod_ssl.c>
46	<VirtualHost www.example.com:443>
47	...
48	SSLEngine on
49	SSLProxyEngine On
50	...
51	# Enables retention of the originally called host up to the application server.
52	ProxyPreserveHost On
53
54	# Deactivates the certificate check of the application server if necessary.
55	# Necessary if the certificates are self-created.
56	SSLProxyVerify none
57	SSLProxyCheckPeerCN off
58	SSLProxyCheckPeerName off
59	SSLProxyCheckPeerExpire off
60	...
61	# Forwarding via HTTPS
62	ProxyPass / https://192.168.0.1/
63	ProxyPassReverse / https://192.168.0.1/
64	...
65	# Forwarding of websocket-connections via WSS
66	RewriteEngine on
67	RewriteCond %{HTTP:Upgrade} websocket [NC]
68	RewriteCond %{HTTP:Connection} upgrade [NC]
69	RewriteRule ^/?(.*) "wss://192.168.0.1:443/$1" [P,L]
70	</VirtualHost>
71	</IfModule>
72	{{/code}}
73	)))
74
75	== Usage of //X-Forwarded// headers for unencrypted communication ==
76
77	If the intermediate server supports sending //X-Forwarded// headers and the servlet container which hosts {{formcycle/}} can evaluate these headers, the communication between the intermediate server and {{formcycle/}} can also be done via another protocol. Both the intermediate server and the servlet container must be configured to use these headers. For more information on configuration, refer to the documentation of the respective product.
78
79	=== Configuration examples ===
80
81	With //Apache//, for example, the following configuration inside the responsible //VirtualHost//s can be used to include the appropriate headers:
82
83	{{code language="none"}}
84	//HTTP
85	RequestHeader set X-Forwarded-Port "80"
86	RequestHeader set X-Forwarded-Proto "http"
87
88	//HTTPS
89	RequestHeader set X-Forwarded-Port "443"
90	RequestHeader set X-Forwarded-Proto "https"
91	{{/code}}
92
93	With //nginx//, for example, the following configuration can be used to send the corresponding headers in the section responsible for the reverse proxy:
94
95	{{code language="none"}}
96	proxy_pass http://127.0.0.1:8080/formcycle/;
97	proxy_set_header Host $http_host;
98	proxy_set_header x-real-ip $remote_addr;
99	proxy_set_header x-forwarded-proto $scheme;
100	{{/code}}
101
102	For //Apache Tomcat// servers, the following valve entry must be added to the {{code language="none"}}server.xml{{/code}} within the //catalina// engine to evaluate the sent //X-Forwarded// headers:
103
104	{{code language="none"}}
105	<Engine......
106	<Valve className="org.apache.catalina.valves.RemoteIpValve"
107	remoteIpHeader="x-forwarded-for"
108	protocolHeader="x-forwarded-proto"
109	protocolHeaderHttpsValue="https" />
110	</Engine>
111	{{/code}}

1

If the application server (e.g. Apache Tomcat) on which {{formcycle/}} is installed is running behind another server, e.g. a reverse proxy, a load balancer or similar, it should be checked that the information of a request is passed on to it unchanged. In concrete terms this means that both the //Host// header and the protocol used must be passed on unchanged by the intermediate servers. In most standard configurations, however, this is not the case because the requests are received by the intermediate server and sent to the application server as a new request.

2

3

4

Manipulation of the host and the protocol by a reverse proxy.

5

6

7

The problematic scenario (see figure) is the following:

8

9

1. The user calls the URL {{code language="none"}}https://www.example.com/formcycle{{/code}}.

10

1. The request is received and evaluated by the intermediate server.

11

1. The intermediate server makes a new request to the designated server. However, since an internal request is made here, the call URL is changed to {{code language="none"}}http://192.168.0.1/formcycle{{/code}}. This URL now arrives at the application server and no longer contains the required information about which URL was actually called by the user.

12

13

14

Since {{formcycle/}} interprets the original request URL of the user, especially when logging into a form, and this URL may not be determined correctly, it is necessary to configure intermediate servers accordingly. Make sure that both the HTTP header //Host// and the protocol used (//HTTP //or //HTTPS//) are forwarded unchanged. Also, the correct forwarding of WebSocket connections must be provided. Alternatively to the concret protocols, the intermediate server can also use //X-Forwarded// headers to indicate which protocol the request used originally.

15

16

17

== Example configuration Apache ==

18

19

For the correct configuration of an Apache server, which acts as a reverse proxy, three points are relevant and have to be stored e.g. in the configuration of the VirtualHosts:

20

21

1. The instruction {{code language="none"}}ProxyPreserveHost On{{/code}} to get the originally called //Host// header

22

1. The separation of the individual protocols and its usage when forwarding to the application server. This means that for //HTTP// and //HTTPS// a separate VirtualHost with appropriate configuration must be used.

23

1. Configuration of the conditional RewriteRule for the forwarding of WebSocket connections via WS and WSS. By default, FORMCYCLE uses the corresponding ports of the servlet container (WS port = HTTP port, WSS port = HTTPS port).

24

25

This configuration, as well as any settings that may be necessary when using self-generated certificates, is briefly illustrated here:

(((

...

# Enables retention of the originally called host up to the application server.

32

ProxyPreserveHost On

33

...

34

# Forwarding via HTTP

35

ProxyPass / http://192.168.0.1/

36

ProxyPassReverse / http://192.168.0.1/

37

...

38

# Forwarding of websocket-connections via WS

39

RewriteEngine on

40

RewriteCond %{HTTP:Upgrade} websocket [NC]

41

RewriteCond %{HTTP:Connection} upgrade [NC]

42

RewriteRule ^/?(.*) "ws://192.168.0.1:80/$1" [P,L]

</VirtualHost>

...

SSLEngine on

SSLProxyEngine On

...

# Enables retention of the originally called host up to the application server.

52

ProxyPreserveHost On

53

54

# Deactivates the certificate check of the application server if necessary.

55

# Necessary if the certificates are self-created.

56

SSLProxyVerify none

57

SSLProxyCheckPeerCN off

58

SSLProxyCheckPeerName off

59

SSLProxyCheckPeerExpire off

60

...

61

# Forwarding via HTTPS

62

ProxyPass / https://192.168.0.1/

63

ProxyPassReverse / https://192.168.0.1/

64

...

65

# Forwarding of websocket-connections via WSS

66

RewriteEngine on

67

RewriteCond %{HTTP:Upgrade} websocket [NC]

68

RewriteCond %{HTTP:Connection} upgrade [NC]

69

RewriteRule ^/?(.*) "wss://192.168.0.1:443/$1" [P,L]

</VirtualHost>

</IfModule>

)))

== Usage of //X-Forwarded// headers for unencrypted communication ==

76

77

If the intermediate server supports sending //X-Forwarded// headers and the servlet container which hosts {{formcycle/}} can evaluate these headers, the communication between the intermediate server and {{formcycle/}} can also be done via another protocol. Both the intermediate server and the servlet container must be configured to use these headers. For more information on configuration, refer to the documentation of the respective product.

78

79

=== Configuration examples ===

80

81

With //Apache//, for example, the following configuration inside the responsible //VirtualHost//s can be used to include the appropriate headers:

//HTTP

RequestHeader set X-Forwarded-Port "80"

86

RequestHeader set X-Forwarded-Proto "http"

87

88

//HTTPS

89

RequestHeader set X-Forwarded-Port "443"

90

RequestHeader set X-Forwarded-Proto "https"

91

92

93

With //nginx//, for example, the following configuration can be used to send the corresponding headers in the section responsible for the reverse proxy:

94

95

96

proxy_pass http://127.0.0.1:8080/formcycle/;

97

proxy_set_header Host $http_host;

98

proxy_set_header x-real-ip $remote_addr;

99

proxy_set_header x-forwarded-proto $scheme;

100

101

102

For //Apache Tomcat// servers, the following valve entry must be added to the {{code language="none"}}server.xml{{/code}} within the //catalina// engine to evaluate the sent //X-Forwarded// headers:

<Engine......

<Valve className="org.apache.catalina.valves.RemoteIpValve"

107

remoteIpHeader="x-forwarded-for"

108

protocolHeader="x-forwarded-proto"

109

protocolHeaderHttpsValue="https" />

110

</Engine>

111

Wiki source code of Betrieb hinter Proxy/Load-Balancer o.ä.

Navigation