Skip to first unread message
leogrande
Apr 9, 2019, 12:38:20 PM4/9/19
to dcm4che
dcm4chee-arc-5.16.0-psql-secure
Nginx 1.15.8
I have set up dcm4chee-arc-5 behind a reverse proxy (Nginx). Nginx port 443 proxy_pass 8443
It works, but I have a question about how dcm4chee-arc logout works.
When an initial request sent to https://<host name>/dcm4chee-arc/ui2/ an application sends authentication request to the Keycloak server.
Nginx redirects /dcm4chee-arc/ui2 to the server's internal IP address, so it is not necessary to open port 8443 in the firewall (in my case, AWS security group).
Everything works fine until "logout" is selected. It throws the error message "502 Bad Gateway".
I have checked and compared headers for different setups (with and without proxy), they look similar, just uri's are different 443 and 8443
redirect_uri: https://<host name>/dcm4chee-arc/ui2/
It looks like that after logout the application needs access to the port 8443 externally, why? I do not know if it in cookies or some Keycloak requirements.
When I open port 8443 from anywhere it works.
And it works, too, when I add only server's external IP for the port 8443.
It can be resolved by adding <internal IP> <host name> to the "hosts" file, but I would prefer not to do that.
I am using a DynDNS and Security groups do not accept FQDN, IP address only (Elastic IP is the last resort).
And of course, I do not want to open 8443 from anywhere.
It is obvious that login to the application and login after logout are different with all those set cookies like these:
set-cookie: KC_RESTART=; Version=1
set-cookie: KEYCLOAK_IDENTITY=eyJh
set-cookie: KEYCLOAK_SESSION=dcm4c
set-cookie: KEYCLOAK_REMEMBER_ME=;
Just can't figure out why it needs an external access to the port 8443.set-cookie: KEYCLOAK_IDENTITY=eyJh
set-cookie: KEYCLOAK_SESSION=dcm4c
set-cookie: KEYCLOAK_REMEMBER_ME=;
Reply all
Reply to author
Forward
0 new messages