Installation issue DSpace 7.2 while moving to production environment

545 views
Skip to first unread message

Thomas Kilindris

unread,
Sep 5, 2022, 3:27:47 PM9/5/22
to DSpace Technical Support

Hi all,

I'd like to report an issue when moving from testing environment to production.

 I've successfully installed DSpace 7.2 on Ubuntu 20.04.4 LTS in a local testing environment according to the instructions available at the LYRASIS wiki back in April. Recently I decided to switch to a production environment following the instructions at the LYRASIS wiki.

Package Versions:

Tomcat 9.0.31(Ubuntu)

Jdk java-11-openjdk-amd64

Apache2.4.41 (Ubuntu)

Node.js v16.14.2

I’ve setup two SSL enabled virtual hosts on apache2 to redirect requests to the localhost’s ports as suggested. Both virtual hosts (frontend,backend servers) have the same IP address listening on port 443 on a common IP and a common SSL certificate (see conf file below):

<VirtualHost _default_:443>

 

    ErrorLog ${APACHE_LOG_DIR}/error.log

    CustomLog ${APACHE_LOG_DIR}/access.log combined

   

    SSLEngine on

    SSLCertificateFile /etc/ssl/certs/mycert.pem

    SSLCertificateKeyFile /etc/ssl/private/mycert.key

 

    ProxyPass /server  ajp://localhost:8009/server/

    ProxyPassReverse /server  ajp://localhost:8009/server/

 

    ProxyPass / http://localhost:4000/

    ProxyPassReverse / http://localhost:4000/

</VirtualHost>

              

The Tomcat AJP Connector wouldn’t work unless I set the secretRequired to “false”

05-Sep-2022 17:03:48.851 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to start component [Connector[AJP/1.3-8009]] at org.apache.catalina.LifecycleException: Protocol handler start failed

Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.

 

Setting the secretRequired to false the AJP Connector works but the HAL Browser does not display as expected see link https://photos.app.goo.gl/2YZkZHiqPLnhVPvy8

Although while accessing localhost:8080/server the HAL browser displays as it should.

Showing only properties section (server name changed for security reasons)

{

  "dspaceUI": "https://myserver.eu",

  "dspaceName": "DSpace at myserver",

  "dspaceServer": "https://myserver.eu/server",

  "dspaceVersion": "DSpace 7.2",

  "type": "root"

}

As a subsequence the frontend responds with Service Unavailable (500) https://photos.app.goo.gl/9hBe4YYbwCSkh9Jw9  and looking at the browser’s log

There are errors reporting no links available

hal-endpoint.service.ts:  No _links section found at https://www.myserver.eu/server/api

Error in dspace.log

2022-09-05 18:11:53,345 ERROR unknown unknown org.springframework.boot.web.servlet.support.ErrorPageFilter @ Forwarding to error page from request [/api] due to exception [The request was rejected because the URL contained a potentially malicious String "//"]

org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String "//"

        at  org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:369) ~[spring-security-web-5.2.2.RELEASE.jar:5.2.2.RELEASE]

Did someone else face the same situation? Any solution?

Thank you in advance!

Best regards

Thomas

 

Tim Donohue

unread,
Sep 7, 2022, 11:53:25 AM9/7/22
to Thomas Kilindris, DSpace Technical Support
Hi Thomas,

That "No _links section found" error is almost always the result of a minor misconfiguration.  It essentially means that either the UI cannot "see" your REST API, or your REST API is misconfigured and telling the UI to use a different REST URL.


Based on what you've shared, it's hard to tell where the misconfiguration is.  However, I did notice that you said your REST API is reporting this property...

"dspaceServer": "https://myserver.eu/server",

But, the "No _links section found" error you shared has a slightly different URL of https://www.myserver.eu/server/...

The main difference in those URLs is the "www.".  You need to make sure that the "rest" setting URL in your UI's config.prod.yml matches/corresponds EXACTLY to the "dspace.server.url" in your backend's local.cfg.  Even very small differences like http vs https, or "www." vs no prefix, or even an extra trailing slash (/) can result in miscommunications between the UI and REST API.  

(Essentially the REST API is very strict on which clients it will "trust" for security reasons. This however can mean the configs have to match more strictly)

Hopefully, that gives you some hints to go on.  It does seem like a configuration issue to me, at a glance. But, if you find more information you can share, let us know on this list and we'll see what other advice we can provide.

Tim
From: dspac...@googlegroups.com <dspac...@googlegroups.com> on behalf of Thomas Kilindris <tom...@gmail.com>
Sent: Monday, September 5, 2022 2:24 PM
To: DSpace Technical Support <dspac...@googlegroups.com>
Subject: [dspace-tech] Installation issue DSpace 7.2 while moving to production environment
 
--
All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/b5e8c396-b5d2-4274-93c0-3161d07b1e4an%40googlegroups.com.

Thomas Kilindris

unread,
Sep 8, 2022, 5:33:43 PM9/8/22
to DSpace Technical Support
Hi Tim, 
thank you for your prompt reply, I am sorry but my message was a little bit misleading cause I manually edited the URL names to generic ones for security reasons, so the URLs are the correct ones. I finally found the problem, it was the / at the end of the URL the apache proxy configuration files. Please allow me to repeat the problematic section

  ProxyPass /server  ajp://localhost:8009/server/

 ProxyPassReverse /server  ajp://localhost:8009/server/


should be:

ProxyPass /server  ajp://localhost:8009/server

ProxyPassReverse /server  ajp://localhost:8009/server

Had to read Apache documentation about the syntax of proxies  although it's correctly shown in the LYRASIS installation instructions! REST API works now and so does the frontend.
Thank you!
Thomas Kilindris
Reply all
Reply to author
Forward
0 new messages