DSpace 7 SSL - ui and backend on one domain name

[Karol Sokalski]

I am in the process of installing DSpace 7 as a production. (Debian 11, apache2, tomcat9)
I have a problem with SSL ( I have a trusted SSL certificate). Unfortunately I cannot run the backend and frontend on the same domain name.

Everything works when I create 2 vhosts with two different domain names: frontend.test.pl and backend.test.pl in apache and certificates for them. But when I try to do everything in one vhost and one domain name  e.g. dspace.test.pl, it won't work for me, because in apache vhost you can add only one proxy-pass.e.g.

ServerName dspace.test.pl

        ProxyRequests On
        DSpace backend
        ProxyPass /server http://localhost:8080/server
        ProxyPassReverse /server http://localhost:8080/server
        RequestHeader set X-Forwarded-Proto https

        DSpace FRONTEND 
        ProxyPass / http://localhost:4000/
        ProxyPassReverse / http://localhost:4000/

What is the best practice, should the frontend and backend be on one domain name or on two different ones, and what am I doing wrong that it doesn't work on one domain name

I would prefer it to work on a single domain name, since dspace 6 worked that way. 

Thanks, 

Karol

[Michael Plate]

Hi Karol,

Am 21.06.22 um 15:43 schrieb Karol Sokalski:

> I am in the process of installing DSpace 7 as a production. (Debian 11,
> apache2, tomcat9)

same in dev environment here (real hosts, IPs, certs)

> I have a problem with SSL ( I have a trusted SSL certificate).
> Unfortunately I cannot run the backend and frontend on the same domain
> name.
>
> Everything works when I create 2 vhosts with two different domain names:
> frontend.test.pl and backend.test.pl in apache and certificates for
> them. But when I try to do everything in one vhost and one domain name
> e.g. dspace.test.pl, it won't work for me, because in apache vhost you
> can add only one proxy-pass.e.g.
>
> ServerName dspace.test.pl
>
>         ProxyRequests On
>         DSpace backend
>         ProxyPass /server http://localhost:8080/server
>         ProxyPassReverse /server http://localhost:8080/server
>         RequestHeader set X-Forwarded-Proto https
>
>         DSpace FRONTEND
>         ProxyPass / http://localhost:4000/
>         ProxyPassReverse / http://localhost:4000/
>

that is exactly what i I have, too, despite 127.0.0.1 instead of
"localhost".

What is your exact problem ?
Do you have the _real_ servername in local.cfg of the backend
(https://dspace.test.pl) ?


Michael

[Mark H. Wood]

On Tue, Jun 21, 2022 at 06:43:40AM -0700, Karol Sokalski wrote:
> I am in the process of installing DSpace 7 as a production. (Debian 11,
> apache2, tomcat9)
> I have a problem with SSL ( I have a trusted SSL certificate).
> Unfortunately I cannot run the backend and frontend on the same domain
> name.
>
> Everything works when I create 2 vhosts with two different domain names:
> frontend.test.pl and backend.test.pl in apache and certificates for them.
> But when I try to do everything in one vhost and one domain name e.g.
> dspace.test.pl, it won't work for me, because in apache vhost you can add
> only one proxy-pass.e.g.

That's incorrect. You can have any number of reverse proxies.

> ServerName dspace.test.pl
>
> ProxyRequests On
> DSpace backend
> ProxyPass /server http://localhost:8080/server
> ProxyPassReverse /server http://localhost:8080/server
> RequestHeader set X-Forwarded-Proto https
>
> DSpace FRONTEND
> ProxyPass / http://localhost:4000/
> ProxyPassReverse / http://localhost:4000/

That should work, BUT "ProxyRequests On" is for a forward proxy and
very likely should be "Off".

Here's our local demo. We're using AJP rather than HTTP to proxy the
back-end, but in essence it's a lot like yours:

# DSpace v7 demo back-end
<Location "/dspace-v7/">
ProxyPass ajp://[::1]:8509/dspace-v7/
</Location>

# DSpace v7 demo front-end
<Location "/">
SetEnv proxy-nokeepalive 1
SetEnv proxy-initial-not-pooled 1
</Location>
ProxyPass "/" "http://localhost:4000/" disablereuse=On max=1

ProxyPassReverse "/" "http://localhost:4000/"

How does your configuration "not work"? What errors do you see? What
behavior? Is there anything relevant in the backend log? the frontend
log? the browser console?

--
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu

[Bill Tantzen]

Mark,

It looks as if your setup is similar to mine, but your apache directives are a bit different from the ones suggested in the installation docs (https://wiki.lyrasis.org/display/DSDOC7x/Installing+DSpace) for both the frontend and the backend -- can you comment on your tweaks?

~~Bill

--
All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/YrHaAcBEoRyxsiu2%40IUPUI.Edu.

--

Human wheels spin round and round
While the clock keeps the pace... -- John Mellencamp
________________________________________________________________
Bill Tantzen    University of Minnesota Libraries
612-626-9949 (U of M)    612-325-1777 (cell)

[Mark H. Wood]

On Tue, Jun 21, 2022 at 11:48:02AM -0500, 'Bill Tantzen' via DSpace Technical Support wrote:
> It looks as if your setup is similar to mine, but your apache directives
> are a bit different from the ones suggested in the installation docs (
> https://wiki.lyrasis.org/display/DSDOC7x/Installing+DSpace) for both the
> frontend and the backend -- can you comment on your tweaks?

Let's see:

o <Location "/dspace-v7/"> because I have several distinct instances
of DSpace deployed on the box, and this one is named "dspace-v7".

o "ProxyPass ajp://[::1]:8509/dspace-v7" because I am running several
versions of Tomcat on the box, and that particular instance is
listening for AJP on 8509 rather than the normal 8009.

o The front-end stuff is all because I'm running the front-end raw
rather than in PM2. I needed to ensure that HTTPD doesn't try to
pool connections to it. I should review these settings to see if I
really need them all.

o I have separate ProxyPass and ProxyPassReverse, rather than tucking
it all into the second <Location/>, because the single-argument
form doesn't take options.

> On Tue, Jun 21, 2022 at 9:47 AM Mark H. Wood <mwood...@gmail.com> wrote:
> > # DSpace v7 demo back-end
> > <Location "/dspace-v7/">
> > ProxyPass ajp://[::1]:8509/dspace-v7/
> > </Location>
> >
> > # DSpace v7 demo front-end
> > <Location "/">
> > SetEnv proxy-nokeepalive 1
> > SetEnv proxy-initial-not-pooled 1
> > </Location>
> > ProxyPass "/" "http://localhost:4000/" disablereuse=On max=1
> > ProxyPassReverse "/" "http://localhost:4000/"

[Karol Sokalski]

Hi,

this is my configuration:

local.cfg 

dspace.server.url = https://dspace.test.pl/server
dspace.ui.url = https://dspace.test.pl

config.prod.yml

ui:
  ssl: false
  host: dspace.test.pl
  port: 4000
  nameSpace: /
  
rest:
  ssl: true
  host: dspace.test.pl
  port: 443
  nameSpace: /server

and now vhost-ssl.conf in apache looks like:

                ProxyRequests off - thanks Mark

                ProxyPass /server http://localhost:8080/server
                ProxyPassReverse /server http://localhost:8080/server
                RequestHeader set X-Forwarded-Proto https

                #DSpace FRONTEND

                ProxyPass / http://localhost:4000/

                ProxyPassReverse / http://localhost:4000/

errors only appear in apache error.log  (pm2 , catalina, dspace.log is clear)

 

[Wed Jun 22 12:52:54.365946 2022] [proxy:error] [pid 47109:tid 140596472973056] (111)Connection refused: AH00957: http: attempt to connect to 127.0.0.1:4000 (localhost) failed
[Wed Jun 22 12:52:54.365985 2022] [proxy_http:error] [pid 47109:tid 140596472973056] [client :51090] AH01114: HTTP: failed to make connection to backend: localhost

And i checked: https://dspace.test.pl/server works fine - i see api and response 200 success.

Problem is with frontend  https://dspace.test.pl/ 

Thanks,

Karol

[Tim Donohue]

Hi Karol,

For your frontend config (config.prod.yml), your "ui" settings should be using localhost​.  For example:

ui:
  ssl: false
  host: localhost
  port: 4000
  nameSpace: /

This is necessary because the "ui" section tells Node where to start the frontend.  In your situation you want it running at http://localhost:4000/ , as you have Apache setup to redirect to that location.

Keep in mind, in your backend​ configs (in local.cfg) you should still have the UI set as "dspace.ui.url = https://dspace.test.pl" because that's the public URL​ of your frontend.

So, it may seem a bit confusing that the "dspace.ui.url" doesn't match with the "ui" settings on the fronted...but that's often​ the case.  In the "ui" settings you are defining the local URL where the UI runs....while in "dspace.ui.url" you must have the public URL of the UI.  These are usually not the same.

Good luck.  I suspect this is the problem you are hitting, but if it doesn't fix things, let us know on this list!

Tim

---

From: dspac...@googlegroups.com <dspac...@googlegroups.com> on behalf of Karol Sokalski <karols...@gmail.com>
Sent: Wednesday, June 22, 2022 4:47 PM
To: DSpace Technical Support <dspac...@googlegroups.com>
Subject: Re: [dspace-tech] DSpace 7 SSL - ui and backend on one domain name

 

--
All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/2f7ecab3-aad5-429e-8d42-f87ac2f7ad59n%40googlegroups.com.

[Karol Sokalski]

Hi Tim,

Yes!, that was exactly the problem, after your tips everything works - thank you. I wonder if the backend should also be entered in config.prod.yml as localhost? Is the public visibility of the backend API is ok from a security point of view? Thank you,

Karol

[Tim Donohue]

Hi Karol,

No, in your config.prod.yml, the REST API needs to be the public​ URL.   This is something that often confuses people. While the "ui" settings are usually set to localhost (as those are what Node uses to start the UI), the "rest" settings are ALWAYS the public URL (as those settings are used by the UI running in your browser to connect you to the backend).  

To clarify, the DSpace UI is a javascript app...so it will run in your user's browsers...and since your users cannot connect to your REST API on "localhost", they need the publicly accessible URL.

I've tried to find a good way to explain this clearly in our documentation, but obviously we need to provide more examples :)  You are not alone though...this is an area that many get confused over in configuring the User Interface.

Tim

---

From: dspac...@googlegroups.com <dspac...@googlegroups.com> on behalf of Karol Sokalski <karols...@gmail.com>

Sent: Friday, June 24, 2022 2:54 AM

To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/9da4ee05-854f-446f-938b-14055cf58a73n%40googlegroups.com.

[Karol Sokalski]

Hi Tim,

Now, it's all clear. Thanks,

Karol

[Bikramjit Singh]

Hi Mark,

I am also trying to install multiple dspace instances on single URL, but was not able to make it work perfectly. Is it working for you well? In my case my `self` URL in /server/api was not getting detected running on a path. Could you please help me? Thanks