Problems with HAProxy as a proxy of ERDDAP
34 views
Skip to first unread message
Oscar Chic
Mar 21, 2024, 5:07:39 AMMar 21
to ERDDAP
Hello,
frontend http-proxy
bind *:80
# you can include additional certs, separated by blank space
bind *:443 ssl crt /etc/haproxy/tls/dms-pro_icm_csic_es_cert.cer
mode http
log global
option httplog
option dontlognull
maxconn 8000
I know that in documentation there are examples of Apache and nginx as a proxy of ERDDAP. But in our institute, computer engineering people selected HAProxy and we have problems.
Our test server is:
and no problems with index.html (code 200, so ok) but problems with images, javascript and css.
Looking into inspect of chrome, the problem is index.html is well proxied but no images, css and javascript that appears with private IP, so http://10.100....
ERDDap from intranet with private IP runs ok. The problem is with internet IP.
HAProxy configuration is:
bind *:80
# you can include additional certs, separated by blank space
bind *:443 ssl crt /etc/haproxy/tls/dms-pro_icm_csic_es_cert.cer
mode http
log global
option httplog
option dontlognull
maxconn 8000
timeout client 30s
default_backend default-back
backend be_dms-pro
mode http
timeout connect 10s
timeout server 10s
retries 2
server dms-pro 10.100.200.26:8080 maxconn 64
mode http
timeout connect 10s
timeout server 10s
retries 2
server dms-pro 10.100.200.26:8080 maxconn 64
Whatever help will be wellcomed.
Thanks,
Oscar
Roy Mendelssohn - NOAA Federal
Mar 21, 2024, 10:18:29 AMMar 21
to Oscar Chic, ERDDAP
Hi Oscar:
Thanks for your query. We have zero knowledge of HAProxy hopefully someone on the list can help better. Having said that, I will make two will stabs at things and oe request
1. In Apache at least it is not enough to just proxy port to port for everything to work, you have to proxy /erddap - I don't know the equivalent for HAProxy but don't see anything like it the setup.
2. With Apache I have found proxying :8080 using http doesn't always work - we proxy to :8443 with a setup that says no cert.
3. What does your server.xml file look like (please sanitize before sending).
As I said these are wild guesses based on no knowledge of HAProxy.
-Roy
> --
> You received this message because you are subscribed to the Google Groups "ERDDAP" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to erddap+un...@googlegroups.com.
> To view this discussion on the web, visit https://groups.google.com/d/msgid/erddap/cffbd84c-537a-40b8-a3bd-f9a74e3d739bn%40googlegroups.com.
**********************
"The contents of this message do not reflect any position of the U.S. Government or NOAA."
**********************
Roy Mendelssohn
Supervisory Operations Research Analyst
NOAA/NMFS
Environmental Research Division
Southwest Fisheries Science Center
***Note new street address***
110 McAllister Way
Santa Cruz, CA 95060
Phone: (831)-420-3666
Fax: (831) 420-3980
e-mail: Roy.Men...@noaa.gov www: https://www.pfeg.noaa.gov/
"Old age and treachery will overcome youth and skill."
"From those who have been given much, much will be expected"
"the arc of the moral universe is long, but it bends toward justice" -MLK Jr.
Thanks for your query. We have zero knowledge of HAProxy hopefully someone on the list can help better. Having said that, I will make two will stabs at things and oe request
1. In Apache at least it is not enough to just proxy port to port for everything to work, you have to proxy /erddap - I don't know the equivalent for HAProxy but don't see anything like it the setup.
2. With Apache I have found proxying :8080 using http doesn't always work - we proxy to :8443 with a setup that says no cert.
3. What does your server.xml file look like (please sanitize before sending).
As I said these are wild guesses based on no knowledge of HAProxy.
-Roy
> You received this message because you are subscribed to the Google Groups "ERDDAP" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to erddap+un...@googlegroups.com.
> To view this discussion on the web, visit https://groups.google.com/d/msgid/erddap/cffbd84c-537a-40b8-a3bd-f9a74e3d739bn%40googlegroups.com.
**********************
"The contents of this message do not reflect any position of the U.S. Government or NOAA."
**********************
Roy Mendelssohn
Supervisory Operations Research Analyst
NOAA/NMFS
Environmental Research Division
Southwest Fisheries Science Center
***Note new street address***
110 McAllister Way
Santa Cruz, CA 95060
Phone: (831)-420-3666
Fax: (831) 420-3980
e-mail: Roy.Men...@noaa.gov www: https://www.pfeg.noaa.gov/
"Old age and treachery will overcome youth and skill."
"From those who have been given much, much will be expected"
"the arc of the moral universe is long, but it bends toward justice" -MLK Jr.
Roy Mendelssohn - NOAA Federal
Mar 21, 2024, 10:26:34 AMMar 21
to Oscar Chic, ERDDAP
HI Oscar:
A quick web search found:
https://www.haproxy.com/blog/the-four-essential-sections-of-an-haproxy-configuration#frontend
there it says for reverse proxy work the IPs to pbe proxy must be defined in the frontend block. Maybe it doesn't matter but it is at least a possibility.
-Roy
A quick web search found:
https://www.haproxy.com/blog/the-four-essential-sections-of-an-haproxy-configuration#frontend
there it says for reverse proxy work the IPs to pbe proxy must be defined in the frontend block. Maybe it doesn't matter but it is at least a possibility.
-Roy
Alex Kerney
Mar 21, 2024, 10:31:19 AMMar 21
to ERDDAP, Oscar Chic
Hi Oscar,
ERDDAP encodes the `baseUrl` or `baseHttpsUrl` into most of the URLs it generates. Currently it looks like you have the base URL set to the internal IP, which is why all the resources cannot be found externally.
Can you try updating server.xml to have your external domain in the baseUrl settings?
There also may be ways to rewrite responses with HAProxy to substitute the internal IP for your domain.
ERDDAP encodes the `baseUrl` or `baseHttpsUrl` into most of the URLs it generates. Currently it looks like you have the base URL set to the internal IP, which is why all the resources cannot be found externally.
Can you try updating server.xml to have your external domain in the baseUrl settings?
There also may be ways to rewrite responses with HAProxy to substitute the internal IP for your domain.
-Alex Kerney
Web Application Developer
Gulf of Maine Research Institute
Rob Cermak
Mar 21, 2024, 10:43:10 AMMar 21
to Roy Mendelssohn - NOAA Federal, Oscar Chic, ERDDAP
I will echo what has already been said.
1. There is a forward proxy.
2. There is a reverse proxy.
3. The ERDDAP base url has to be the url endpoint to the outside. Otherwise, things are referenced as if they were still on the inside.
This is what we have to specify for the erddap container running internally on port 8080. This could be any internal address and port. In our situation, ERDDAP is running on plain HTTP and proxied through Apache to provide HTTPS.
Apache:
Excerpt bits from the startup script passing environment to the docker container.
BASE_URL="https://hoodfish.fish.washington.edu"
ERDDAP_baseUrl="${BASE_URL}"
ERDDAP_baseHttpsUrl="${BASE_URL}"
The "baseURL" has to be the external url for things to work.
Rob
On Thu, Mar 21, 2024 at 6:26 AM 'Roy Mendelssohn - NOAA Federal' via ERDDAP <erd...@googlegroups.com> wrote:
HI Oscar:
A quick web search found:
there it says for reverse proxy work the IPs to pbe proxy must be defined in the frontend block. Maybe it doesn't matter but it is at least a possibility.
-Roy
> On Mar 21, 2024, at 7:18 AM, Roy Mendelssohn - NOAA Federal <roy.men...@noaa.gov> wrote:
>
> Hi Oscar:
>
> Thanks for your query. We have zero knowledge of HAProxy hopefully someone on the list can help better. Having said that, I will make two will stabs at things and oe request
>
> 1. In Apache at least it is not enough to just proxy port to port for everything to work, you have to proxy /erddap - I don't know the equivalent for HAProxy but don't see anything like it the setup.
>
> 2. With Apache I have found proxying :8080 using http doesn't always work - we proxy to :8443 with a setup that says no cert.
>
> 3. What does your server.xml file look like (please sanitize before sending).
>
> As I said these are wild guesses based on no knowledge of HAProxy.
>
> -Roy
>
>> On Mar 21, 2024, at 2:07 AM, Oscar Chic <och...@gmail.com> wrote:
>>
>> Hello,
>> I know that in documentation there are examples of Apache and nginx as a proxy of ERDDAP. But in our institute, computer engineering people selected HAProxy and we have problems.
>>
>> Our test server is:
>>
>>
>> and no problems with index.html (code 200, so ok) but problems with images, javascript and css.
>> Looking into inspect of chrome, the problem is index.html is well proxied but no images, css and javascript that appears with private IP, so https://urldefense.com/v3/__http://10.100__;!!K-Hz7m0Vt54!m5jWvbuzNFtuv5Vmzn23e-UGFJSU033CaMmB_RUY4Jwpu6pSGn9HywZhpAB9x57ztx-GVYYqezXAXV4S$ ....
>> To view this discussion on the web, visit https://urldefense.com/v3/__https://groups.google.com/d/msgid/erddap/cffbd84c-537a-40b8-a3bd-f9a74e3d739bn*40googlegroups.com__;JQ!!K-Hz7m0Vt54!m5jWvbuzNFtuv5Vmzn23e-UGFJSU033CaMmB_RUY4Jwpu6pSGn9HywZhpAB9x57ztx-GVYYqe30qHYUf$ .
>
> **********************
> "The contents of this message do not reflect any position of the U.S. Government or NOAA."
> **********************
> Roy Mendelssohn
> Supervisory Operations Research Analyst
> NOAA/NMFS
> Environmental Research Division
> Southwest Fisheries Science Center
> ***Note new street address***
> 110 McAllister Way
> Santa Cruz, CA 95060
> Phone: (831)-420-3666
> Fax: (831) 420-3980
> e-mail: Roy.Men...@noaa.gov www: https://urldefense.com/v3/__https://www.pfeg.noaa.gov/__;!!K-Hz7m0Vt54!m5jWvbuzNFtuv5Vmzn23e-UGFJSU033CaMmB_RUY4Jwpu6pSGn9HywZhpAB9x57ztx-GVYYqe4YrQTZN$
>
> "Old age and treachery will overcome youth and skill."
> "From those who have been given much, much will be expected"
> "the arc of the moral universe is long, but it bends toward justice" -MLK Jr.
>
**********************
"The contents of this message do not reflect any position of the U.S. Government or NOAA."
**********************
Roy Mendelssohn
Supervisory Operations Research Analyst
NOAA/NMFS
Environmental Research Division
Southwest Fisheries Science Center
***Note new street address***
110 McAllister Way
Santa Cruz, CA 95060
Phone: (831)-420-3666
Fax: (831) 420-3980
e-mail: Roy.Men...@noaa.gov www: https://urldefense.com/v3/__https://www.pfeg.noaa.gov/__;!!K-Hz7m0Vt54!m5jWvbuzNFtuv5Vmzn23e-UGFJSU033CaMmB_RUY4Jwpu6pSGn9HywZhpAB9x57ztx-GVYYqe4YrQTZN$
"Old age and treachery will overcome youth and skill."
"From those who have been given much, much will be expected"
"the arc of the moral universe is long, but it bends toward justice" -MLK Jr.
--
You received this message because you are subscribed to the Google Groups "ERDDAP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to erddap+un...@googlegroups.com.
Roy Mendelssohn - NOAA Federal
Mar 22, 2024, 10:52:15 AMMar 22
to Oscar Chic, ERDDAP
HI Oscar:
I forgot to ask that when you get this worked out can you post the final configuration in case this comes up again.
Thanks,
-Roy
I forgot to ask that when you get this worked out can you post the final configuration in case this comes up again.
Thanks,
-Roy
Message has been deleted
Roy Mendelssohn - NOAA Federal
Mar 25, 2024, 6:08:03 PMMar 25
to Oscar Chic, ERDDAP
Hi Oscar:
Here is a first pass generated by ChatGPT4, minus some of the settings you had which you can add in, but you can see the difference in the front and back ends. I have no way of testing, but you do need to proxy more than the port, and to have reverse proxy it must be defined in the front end.
HTH,
-Roy
# Global settings
global
log /dev/log local0
log /dev/log local1 notice
maxconn 4096
user haproxy
group haproxy
daemon
# Default settings
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
# Frontend configuration
frontend http-in
bind *:80
acl path_erddap path_beg /erddap
use_backend erddap_backend if path_erddap
# Backend configuration
backend erddap_backend
server erddap_server 10.100.200.26:8080 check
> On Mar 25, 2024, at 2:45 AM, Oscar Chic <och...@gmail.com> wrote:
>
> Hi,
>
> I would greatly appreciate your help.
> We go slowly because I manage ERDDAP but no frontend with HAProxy so the tests are very slow.
> We need to make changes related related to proxying 8080 or 8443, include /erddap... and also in setup.xml in ERDDAP related to baseHttpsUrl, baseUrl...
>
> When we solve it I say to you.
>
> Thanks a lot for your help.
> Òscar
>
> El dia divendres, 22 de març del 2024 a les 15:52:15 UTC+1, roy.men...@noaa.gov va escriure:
> To view this discussion on the web, visit https://groups.google.com/d/msgid/erddap/285404dd-da5f-4083-b9a3-5551dde0efe8n%40googlegroups.com.
Here is a first pass generated by ChatGPT4, minus some of the settings you had which you can add in, but you can see the difference in the front and back ends. I have no way of testing, but you do need to proxy more than the port, and to have reverse proxy it must be defined in the front end.
HTH,
-Roy
# Global settings
global
log /dev/log local0
log /dev/log local1 notice
maxconn 4096
user haproxy
group haproxy
daemon
# Default settings
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
# Frontend configuration
frontend http-in
bind *:80
acl path_erddap path_beg /erddap
use_backend erddap_backend if path_erddap
# Backend configuration
backend erddap_backend
server erddap_server 10.100.200.26:8080 check
> On Mar 25, 2024, at 2:45 AM, Oscar Chic <och...@gmail.com> wrote:
>
> Hi,
>
> I would greatly appreciate your help.
> We go slowly because I manage ERDDAP but no frontend with HAProxy so the tests are very slow.
> We need to make changes related related to proxying 8080 or 8443, include /erddap... and also in setup.xml in ERDDAP related to baseHttpsUrl, baseUrl...
>
> When we solve it I say to you.
>
> Thanks a lot for your help.
> Òscar
>
> El dia divendres, 22 de març del 2024 a les 15:52:15 UTC+1, roy.men...@noaa.gov va escriure:
Message has been deleted
Roy Mendelssohn - NOAA Federal
Mar 29, 2024, 10:03:56 AMMar 29
to Oscar Chic, ERDDAP
HI Oscar:
I am glad things are progressing. gan I know little about HaProxy, but my guess is it is t sufficient to just proxy the port, you must forward and reverse proxy /erddap - that is true for the other proxy methods am aware of. Please look at the example I sent generated by ChatGPT4 - you can see how /erddap is included in the proxy information, My guess (and only a guess) is that is where you problem lies.
HTH,
-Roy
> On Mar 26, 2024, at 10:37 AM, Oscar Chic <och...@gmail.com> wrote:
>
> Hi, all,
>
> Still not working perfectly but... more or less. Here you have significant configuration:
>
> setup.xml
> <baseUrl>http://dms-pro.icm.csic.es</baseUrl>
> <baseHttpsUrl>https://dms-pro.icm.csic.es</baseHttpsUrl>
>
> haproxy.cfg
> frontend
> ...
>
> ...
>
> I also attached an image that shows the home.
> Using Chrome inspecting code is shown that 6 from 9 elements of the page are well loaded (code 200) and 3 have problems.
>
> It seems that haproxy could proxying /erddap but still some problems.
> I'm not sure if the problems could be related to 8443 port (instead of 8080).
>
> Best,
> Òscar
>
> El dia dilluns, 25 de març del 2024 a les 23:08:03 UTC+1, roy.men...@noaa.gov va escriure:
> To view this discussion on the web, visit https://groups.google.com/d/msgid/erddap/631dfde1-26dd-45ec-8a22-31c4b04722f6n%40googlegroups.com.
> <Captura de pantalla 2024-03-26 a les 18.25.50.png>
I am glad things are progressing. gan I know little about HaProxy, but my guess is it is t sufficient to just proxy the port, you must forward and reverse proxy /erddap - that is true for the other proxy methods am aware of. Please look at the example I sent generated by ChatGPT4 - you can see how /erddap is included in the proxy information, My guess (and only a guess) is that is where you problem lies.
HTH,
-Roy
> On Mar 26, 2024, at 10:37 AM, Oscar Chic <och...@gmail.com> wrote:
>
> Hi, all,
>
> Still not working perfectly but... more or less. Here you have significant configuration:
>
> setup.xml
> <baseUrl>http://dms-pro.icm.csic.es</baseUrl>
> <baseHttpsUrl>https://dms-pro.icm.csic.es</baseHttpsUrl>
>
> haproxy.cfg
> frontend
> ...
> # dms-pro
> acl dms-pro hdr(host) -i dms-pro.icm.csic.es
> use_backend be_dms-pro if dms-pro
>
> default_backend default-back
>
> backend be_dms-pro
> mode http
> timeout connect 10s
> timeout server 10s
> retries 2
> server dms-pro 10.100.201.26:8080 maxconn 64
> acl dms-pro hdr(host) -i dms-pro.icm.csic.es
> use_backend be_dms-pro if dms-pro
>
> default_backend default-back
>
> backend be_dms-pro
> mode http
> timeout connect 10s
> timeout server 10s
> retries 2
>
> ...
>
> I also attached an image that shows the home.
> Using Chrome inspecting code is shown that 6 from 9 elements of the page are well loaded (code 200) and 3 have problems.
>
> It seems that haproxy could proxying /erddap but still some problems.
> I'm not sure if the problems could be related to 8443 port (instead of 8080).
>
> Best,
> Òscar
>
> El dia dilluns, 25 de març del 2024 a les 23:08:03 UTC+1, roy.men...@noaa.gov va escriure:
> <Captura de pantalla 2024-03-26 a les 18.25.50.png>
Oscar Chic
Apr 2, 2024, 7:56:38 AMApr 2
to ERDDAP
Finally it works !! Thanks to everybody.
I use docker erddap (no tomcat installation as I did before) with this configurations:
setup.xml
...
<baseUrl>https://dms-pro.icm.csic.es</baseUrl>
<baseHttpsUrl>https://dms-pro.icm.csic.es</baseHttpsUrl>
...
<baseHttpsUrl>https://dms-pro.icm.csic.es</baseHttpsUrl>
...
and
haproxy.cfg
...
frontend http-proxy
bind *:80
# you can include additional certs, separated by blank space
bind *:443 ssl crt /etc/haproxy/tls/dms-pro_icm_csic_es_cert.cer
mode http
log global
option httplog
option dontlognull
maxconn 8000
timeout client 30s
# dms-pro
acl dms-pro hdr(host) -i dms-pro.icm.csic.es
use_backend be_dms-pro if dms-pro
bind *:80
# you can include additional certs, separated by blank space
bind *:443 ssl crt /etc/haproxy/tls/dms-pro_icm_csic_es_cert.cer
mode http
log global
option httplog
option dontlognull
maxconn 8000
timeout client 30s
# dms-pro
acl dms-pro hdr(host) -i dms-pro.icm.csic.es
use_backend be_dms-pro if dms-pro
backend be_dms-pro
mode http
timeout connect 10s
timeout server 10s
retries 2
server dms-pro 10.100.201.26:8080 maxconn 64
mode http
timeout connect 10s
timeout server 10s
retries 2
server dms-pro 10.100.201.26:8080 maxconn 64
...
It seems that it is not important to proxy "/erddap" in this installation. I don't know if this is related to the "magic" of dockers or the "magic" of HAProxy.
Thanks a lot,
Best,
Òscar
El dia divendres, 29 de març del 2024 a les 15:03:56 UTC+1, roy.men...@noaa.gov va escriure:
Oscar Chic
Apr 3, 2024, 3:50:44 AMApr 3
to ERDDAP
Hi, Roy,
I use Docker image 21 months ago. Below you have more information.
It seems ERDDAP it works but noy fully. 15 datasets failed to load included one I test from a CSV.
Here you have the web:
I don't know if there is some config error.
Best,
Òscar
---
ERDDAP configured with: ERDDAP_CONTENT_URL=https://github.com/BobSimons/erddap/releases/download/v2.18/erddapContent.zip
ERDDAP_VERSION=2.18
ERDDAP_WAR_URL=https://github.com/BobSimons/erddap/releases/download/v2.18/erddap.war
ERDDAP_adminAddress=123 Irrelevant St.
ERDDAP_adminCity=Nowhere
ERDDAP_adminCountry=USA
ERDDAP_adminEmail=nob...@example.com
ERDDAP_adminIndividualName=Axiom Docker Install
ERDDAP_adminInstitution=Axiom Docker Install
ERDDAP_adminInstitutionUrl=https://github.com/axiom-data-science/docker-erddap
ERDDAP_adminPhone=555-555-5555
ERDDAP_adminPosition=Software Engineer
ERDDAP_adminPostalCode=99504
ERDDAP_adminStateOrProvince=AK
ERDDAP_baseHttpsUrl=https://localhost:8443
ERDDAP_bigParentDirectory=/erddapData
ERDDAP_emailDailyReportsTo=nob...@example.com
ERDDAP_emailEverythingTo=nob...@example.com
ERDDAP_emailFromAddress=not...@example.com
ERDDAP_emailPassword=
ERDDAP_emailProperties=
ERDDAP_emailSmtpHost=
ERDDAP_emailSmtpPort=
ERDDAP_emailUserName=
ERDDAP Running with: -server -d64 -Xms4G -Xmx4G -XX:+HeapDumpOnOutOfMemoryError -Djava.awt.headless=true -XX:+UseConcMarkSweepGC -XX:+CMSClassUnloadingEnabled -DerddapContentDirectory=/usr/local/tomcat/content/erddap/ -Djna.tmpdir=/tmp/ -Djava.security.egd=file:/dev/./urandom
El dia dimarts, 2 d’abril del 2024 a les 13:56:38 UTC+2, Oscar Chic va escriure:
Roy Mendelssohn - NOAA Federal
Apr 3, 2024, 10:16:22 AMApr 3
to Oscar Chic, ERDDAP
Hi Oscar:
You would have to look in the ERDDAP logs, or send the appropriate parts, for anyone to know. This often can be one of the downsides of using Docker, the setup is more complicated. Sometimes with Docker the problem is the local data files are not properly mapped into the container. But the error messages in the log are the place to start.
-Roy
> To view this discussion on the web, visit https://groups.google.com/d/msgid/erddap/88fb74f1-b2c6-4b7d-bd3f-78ab4d2100den%40googlegroups.com.
You would have to look in the ERDDAP logs, or send the appropriate parts, for anyone to know. This often can be one of the downsides of using Docker, the setup is more complicated. Sometimes with Docker the problem is the local data files are not properly mapped into the container. But the error messages in the log are the place to start.
-Roy
Reply all
Reply to author
Forward
0 new messages