dspace7 installation on remote server with apache

[Paul Warner]

Hi,

My team wants very much to test dspace 7, and I have an installation on a remote server that uses apache as the frontend proxy.  I did this so I can offer the site to my team with ssl/tls.  They cannot get to the command line on the server, and a command line browser (w3m) does not work with angular anyway.  So they need a url that is external.

I have set the rest.cors settings in local.cfg:

rest.cors.allowed-origins = ${dspace.ui.url}

and have set the dspace.ui.url to the url to apache.  I am still getting cors errors in the browser (Firefox).  There are no errors anywhere else in the logs.

Is there a better way to set up dspace 7 so it is visible from a domain externally?

Best regards,

Paul

[Tim Donohue]

Hi Paul,

Could you provide more info on the CORS errors? 

The reason I ask, is that I wonder what URL the backend thinks you are sending requests from.  CORS errors should only occur if the URL sending requests (to the REST API) is *not* listed in the "rest.cors.allowed-origins" setting.  So, that makes me suspect that the UI is sending requests under a URL that is *not* identical to what you set for "dspace.ui.url" in the backend.

Generally speaking, the frontend configuration and backend configuration need to be identical, or you will hit problems.

So, this means, in the Angular UI, the "ui" environment settings:
https://github.com/DSpace/dspace-angular/blob/main/src/environments/environment.common.ts#L10-L16
need to *match* what you configure as "dspace.ui.url" on the backend.

Similar, in the Angular UI, the "rest" environment settings:
https://github.com/DSpace/dspace-angular/blob/main/src/environments/environment.common.ts#L20-L26

need to *match* what you configure as "dspace.server.url" on the backend.

If the "ui" settings don't match, you are likely to end up with CORS errors, as the UI will be sending requests from a slightly different URL and the REST API will block those requests.  This is my _best guess_ at what you might be seeing.

Tim

---

From: dspac...@googlegroups.com <dspac...@googlegroups.com> on behalf of Paul Warner <paulw...@gmail.com>
Sent: Tuesday, August 4, 2020 12:32 AM
To: DSpace Technical Support <dspac...@googlegroups.com>
Subject: [dspace-tech] dspace7 installation on remote server with apache

 

--
All messages to this mailing list should adhere to the DuraSpace Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/ee9bb9f8-117d-4113-a0d3-548861121d45o%40googlegroups.com.

[Paul Warner]

Hi Tim,

The error is:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://127.0.0.1:8355/server/api/authn/status

So it is the case that tomcat is refusing the connection.

I have tomcat listening only on 127.0.0.1:8355.  And Angular is listening at localhost:4000.

The problem is, I am using apache as a proxy, so I have 3 addresses, these two, plus our domain name.  Apache passes the requests to localhost:4000.  

I have tried plugging the domain name in for the dspace.ui.url.  I get the same CORS error.

How else can I present the app to the outside world?  I do not think pointing the Angular server directly out on our domain name is a good idea, and I do not know how to set up ssh/tls for this server, anyway.  How is one supposed to run this arrangement when one goes live?  I just need to make this instance available for my team to test it.

Best regards, and thanks for the help!

Paul

To unsubscribe from this group and stop receiving emails from it, send an email to dspac...@googlegroups.com.

[Tim Donohue]

Hi Paul,

You may want to leave your "dspace.ui.url" as it is, and directly override "rest.cors.allow-origins" in your local.cfg

By default, "rest.cors.allow-origins" is ONLY the "dspace.ui.url" as noted here:https://github.com/DSpace/DSpace/blob/main/dspace/config/modules/rest.cfg#L10

However, you can provide it a *list* of URLs that you want the REST API to respond to.  So, you could modify it to be something like:

rest.cors.allowed-origins = ${dspace.ui.url}, http://127.0.0.1:8355, http://another.url, https://yetanother.url

The list can include as many URLs as you want.  The key is that it *MUST* include "dspace.ui.url" as one of those URLs.  The other URLs can be whatever you want.

Keep in mind that, as we are still in active development, not all of this is written down. But the expectation is that while *many sites* can leave the "rest.cors.allow-origins" at it's default setting...some sites (especially those using proxies or just wanting several URL to access their REST API for other needs) may need to modify it.

Tim

---

From: dspac...@googlegroups.com <dspac...@googlegroups.com> on behalf of Paul Warner <paulw...@gmail.com>

Sent: Thursday, August 6, 2020 11:27 PM

To: DSpace Technical Support <dspac...@googlegroups.com>

Subject: Re: [dspace-tech] dspace7 installation on remote server with apache

 

To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/806ba430-b794-4490-9e5b-6371e7654819o%40googlegroups.com.

[Paul Warner]

Hi Tim,

Thanks for the info.  I tried using the list for my rest.cors.allow-origins, but I am still getting the cors errors.

rest.cors.allowed-origins = ${dspace.ui.url}, https://repo7-test.amad.org

Is there anything else I can try?  Where can I look to see where things are going wrong? 

Thanks again,

Paul

To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/806ba430-b794-4490-9e5b-6371e7654819o%40googlegroups.com.

[Paul Warner]

Hi Tim,

I got this error message in catalina.out:

java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens

I found this information on stackoverflow:

https://stackoverflow.com/questions/42218237/java-lang-illegalargumentexception-invalid-character-found-in-method-name-http

It indicates that the incoming information, which is encoded for tls/ssl, is not being read correctly by the java.  Does that ring a bell for someone?

Thanks!

Paul

[paulw...@gmail.com]

Hi,

I have removed the ssl from my apache config temporarily, in order to test if there was some problem with the encrypted data coming through to the unencrypted angular and tomcat server instances.  The browser still reports CORS errors as before, and with numerous error messages saying the JSESSIONID is treated as a cross site cookie.  This is with the suggestion from Tim of setting a list of 2 urls in the local.cfg under rest.cors.allow-origins.

rest.cors.allowed-origins = ${dspace.ui.url}, http://repo7-test.amad.org

Note the http in the url, not https, since I removed the ssl

Thanks and best regards,

Paul

[Tim Donohue]

Hi Paul,

Sorry for the delayed response. I'm just getting back from holiday.

I think we'd need to see the *exact* CORS error message you are seeing and whether it has changed.

You also might need to debug the exact requests that are being sent from your Browser to the REST API.  This can be done using your web browser's "Developer Tools" (in Chrome or Firefox type "Ctrl + Shift + I").  In Developer Tools you should be able to watch each request be sent from the Angular UI to the backend REST API...and see what response is returned.

Likely one of the following is happening:
1) The request to the REST API is using an unexpected URL which is NOT listed in "rest.cors.allowed-origins" (in which case, adding it should fix the problem)

2) Or, maybe your Proxy is somehow modifying the request and either removing or changing the "Access-Control-Allow-Origin" header which is set automatically by the REST API.  If that's the case, you'd need to fix your Proxy settings (and I don't have any good advice on how to do that, but I'd be interested to learn what works...in case others find this same issue).

I wish I had better suggestions here. Quite honestly, you are working in a new territory here. We have not tested installing DSpace 7 across two different origins with a proxy.  So, we do not yet have formal installation guide here or formal advice. But, perhaps you can help us improve docs here if you can figure out the issue at hand.

Tim

---

From: dspac...@googlegroups.com <dspac...@googlegroups.com> on behalf of paulw...@gmail.com <paulw...@gmail.com>
Sent: Wednesday, August 19, 2020 11:27 AM

To: DSpace Technical Support <dspac...@googlegroups.com>

To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/5fb220e2-e80d-4741-9bd4-2afc38df704en%40googlegroups.com.

[paulw...@gmail.com]

Hi Tim,

Thanks again for the help!

Here are the error messages when I go to the home page:

Environment: Production app.component.ts:102:12

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:8355/server/api/statistics?endpointMap. (Reason: CORS request did not succeed).

2

Error:

Object { headers: {…}, status: 0, statusText: "Unknown Error", url: "http://localhost:8355/server/api/statistics?endpointMap", ok: false, name: "HttpErrorResponse", message: "Http failure response for http://localhost:8355/server/api/statistics?endpointMap: 0 Unknown Error", error: error }

dspace-rest-v2.service.ts:115:16

Object { statusCode: 0, statusText: "Unknown Error", message: "Http failure response for http://localhost:8355/server/api/statistics?endpointMap: 0 Unknown Error" }

response.models.ts:142:12

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:8355/server/api/statistics/viewevents. (Reason: CORS request did not succeed).

2

Error:

Object { headers: {…}, status: 0, statusText: "Unknown Error", url: "http://localhost:8355/server/api/statistics/viewevents", ok: false, name: "HttpErrorResponse", message: "Http failure response for http://localhost:8355/server/api/statistics/viewevents: 0 Unknown Error", error: error }

dspace-rest-v2.service.ts:115:16

Object { statusCode: 0, statusText: "Unknown Error", message: "Http failure response for http://localhost:8355/server/api/statistics/viewevents: 0 Unknown Error" }

response.models.ts:142:12

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:8355/server/api/authn/status. (Reason: CORS request did not succeed).

This is the error when I try to log in:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:8355/server/api/authn/login. (Reason: CORS request did not succeed). 

Here are the errors when I go to community-list:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:8355/server/api/core/communities/search/top?page=0&size=50&sort=dc.title,ASC. (Reason: CORS request did not succeed).

2

Error:

Object { headers: {…}, status: 0, statusText: "Unknown Error", url: "http://localhost:8355/server/api/core/communities/search/top?page=0&size=50&sort=dc.title,ASC", ok: false, name: "HttpErrorResponse", message: "Http failure response for http://localhost:8355/server/api/core/communities/search/top?page=0&size=50&sort=dc.title,ASC: 0 Unknown Error", error: error }

dspace-rest-v2.service.ts:115:16

Object { statusCode: 0, statusText: "Unknown Error", message: "Http failure response for http://localhost:8355/server/api/core/communities/search/top?page=0&size=50&sort=dc.title,ASC: 0 Unknown Error" }  

 

These errors are with the https settings in Apache and in local.cfg.

Hope this helps!  Let me know what other leads I can follow...

Thanks,

Paul

[paulw...@gmail.com]

Hi Tim and all,

I have made sure that apache mod_headers is turned on, and have added this line to my virtual host:

Header add "Access-Control-Header-Origin" "*"

I get the same CORS error messages, unfortunately.

I already tried 

Header set "Access-Control-Header-Origin" "*"  

and got the same error messages.

I tried adding a filter to my tomcat web.xml:

 <filter>
       <filter-name>CorsFilter</filter-name>
       <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
    </filter>
     <filter-mapping>
       <filter-name>CorsFilter</filter-name>
       <url-pattern>/*</url-pattern>
     </filter-mapping> 

 I am including in the file below the errors listed in Opera's console, which are quite detailed.

Here is Firefox's page explaining the CORS errors:

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSDidNotSucceed?utm_source=devtools&utm_medium=firefox-cors-errors&utm_campaign=default

"What went wrong?

The HTTP request which makes use of CORS failed because the HTTP connection failed at either the network or protocol level. The error is not directly related to CORS, but is a fundamental network error of some kind.

In many cases, it is caused by a browser plugin (e.g. an ad blocker or privacy protector) blocking the request.

Other possible causes include:

• Trying to access an https resource that has an invalid certificate will cause this error.
• Trying to access an http resource from a page with an https origin will also cause this error.
• As of Firefox 68, https pages are not permitted to access http://localhost, although this may be changed by Bug 1488740.
• The server did not respond to the actual request (even if it responded to the Preflight request). One scenario might be an HTTP service being developed that panicked without returning any data."

So I turned off TRACKING in Firefox for my site.  Here are the Firefox errors (the same as before) for the /home page:

GET https://repo7-test.amad.org/assets/images/favicon.ico[HTTP/1.1 502 Proxy Error 0ms]

Environment: Production app.component.ts:102:12

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:8355/server/api/authn/status. (Reason: CORS request did not succeed).

2

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:8355/server/api/statistics?endpointMap. (Reason: CORS request did not succeed).

2

Error:

Object { headers: {…}, status: 0, statusText: "Unknown Error", url: "http://localhost:8355/server/api/statistics?endpointMap", ok: false, name: "HttpErrorResponse", message: "Http failure response for http://localhost:8355/server/api/statistics?endpointMap: 0 Unknown Error", error: error }

dspace-rest-v2.service.ts:115:16

Object { statusCode: 0, statusText: "Unknown Error", message: "Http failure response for http://localhost:8355/server/api/statistics?endpointMap: 0 Unknown Error" }

response.models.ts:142:12

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:8355/server/api/statistics/viewevents. (Reason: CORS request did not succeed).

2

Error:

Object { headers: {…}, status: 0, statusText: "Unknown Error", url: "http://localhost:8355/server/api/statistics/viewevents", ok: false, name: "HttpErrorResponse", message: "Http failure response for http://localhost:8355/server/api/statistics/viewevents: 0 Unknown Error", error: error }

dspace-rest-v2.service.ts:115:16

Object { statusCode: 0, statusText: "Unknown Error", message: "Http failure response for http://localhost:8355/server/api/statistics/viewevents: 0 Unknown Error" }  

It appears from their message above that Firefox does not allow my https site to contact http://localhost.  I do not know how to turn this off.  Maybe I can do that in Chrome.  I will check.

Thanks for help, and best regards,

Paul

[paulw...@gmail.com]

I have a correction to my last email:

The Header command in my apache2 config reads:

Header add "Access-Control-Allow-Origin" "*"

NOT:

Header add "Access-Control-Header-Origin" "*"

as I wrote above...

Sorry for the typo.

Best regards,
Paul  

[paulw...@gmail.com]

Hi again,

I have my tomcat and angular servers listening only on localhost.  But just now, temporarily, I set tomcat to listen on the server ip as well, and I logged in to the HAL Browser.  My login was successful, and I could make various queries to the REST Server successfully, all returning normal, correct results.  I just thought it was worth checking again, since some of the errors (in Opera and Chrome, for instance) came through as "Connection refused".

Best regards,

Paul

[paulw...@gmail.com]

Hi all,

I decided to set up my REST server with its own hostname and https, with a proxy frontend with Apache, just like my angular instance.  I did this because Firefox says that other things can cause CORS errors, including trying to access http:://localhost.  I was doing this from the frontend, as it accessed the REST server.  

Now there are two proxies.  But while the CORS errors are gone, the instances are broken in new ways.  I have played around with the configuration, trying different combinations, but nothing seems to help. The angular frontend displays the top of the page, but cannot bring up anything in the body of the first page, for instance, my two communities.  I cannot log in.  When I go to the REST server, which now has its own domain name, it displays the HAL browser, but will not let me login.  I have left my tomcat setting temporarily in place, in which I can access the REST server in the browser with the machine's ip address and port.  There I can log in.

Ah, I really thought I had something this time...

Best regards,

Paul

[paulw...@gmail.com]

Hello everyone,

Can I just do this like Atmire?  How do they make this work, with what sort of configuration?  

Best regards,

Paul