Error with 1.8.1 webclient on login click - "There is a problem contacting the server!"

[Will Ford [Wake Forest]]

When I look at the logs in apache, I see the following errors- the first is always a 553 and then the rest of the attempts have the other number:

192.168.49.2 - - [09/Jul/2024:12:21:30 +0000] "POST /proxy.php HTTP/1.1" 200 553 "https://wazn-i2b2a-lx-1.medctr.ad.wfubmc.edu/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0"

192.168.49.2 - - [09/Jul/2024:12:23:14 +0000] "POST /proxy.php HTTP/1.1" 200 489 "https://wazn-i2b2a-lx-1.medctr.ad.wfubmc.edu/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0"

wazn-i2b2a-lx-1.medctr.ad.wfubmc.edu/i2b2/services/PMService?wsdl Looks good when I navigate to it

wazn-i2b2a-lx-1.medctr.ad.wfubmc.edu/i2b2_config_domains.json is configured with the following:

{
    "urlProxy": "/proxy.php",
    "urlFramework": "js-i2b2/",
    "lstDomains": [
        {
            "domain": "i2b2demo",
            "name": "staging",
            "urlCellPM": "https://WAZN-I2B2A-LX-1.medctr.ad.wfubmc.edu/i2b2/services/PMService/",
            "allowAnalysis": true,
            "debug": false
        }
    ]
}

changing debug to true hasn't provided me with additional information.

When I bring up the site, I do see a warning:

communicatorFactory: 'PM' does not have a cellURL specified - i2b2_cell_communicator.js:15

Then:

EVENT FIRED i2b2.events.afterCellInit[PM] - hive_globals.js:157

But when that alert modal comes up with the "There is a problem contacting the server!", nothing is written to the console to chase down. I did find the message in js-i2b2/hive/i2b2_cell_communicator.js:225

                      /* success handler code */
                      if (typeof o !== "object") {
                          alert("There is a problem contacting the server!");
                          return false;
                      }

But I'm not sure how to run this down.  Any help would be appreciated.

Thanks!

Will

[Wattanasin, Nich]

Hi Will,

I'm not sure if this will fix the problem, but try this inside i2b2_config_domains.json:

"urlProxy": "proxy.php",      (without the slash)

Thanks,

Nich

---

From: i2b2-ins...@googlegroups.com <i2b2-ins...@googlegroups.com> on behalf of Will Ford [Wake Forest] <wfor...@gmail.com>
Sent: Tuesday, July 9, 2024 8:44 AM
To: i2b2 Install Help <i2b2-ins...@googlegroups.com>
Subject: Error with 1.8.1 webclient on login click - "There is a problem contacting the server!"

 

        External Email - Use Caution        

--
You received this message because you are subscribed to the Google Groups "i2b2 Install Help" group.
To unsubscribe from this group and stop receiving emails from it, send an email to i2b2-install-h...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/i2b2-install-help/fbcea34a-97fe-4646-bc00-4438caf95758n%40googlegroups.com.

The information in this e-mail is intended only for the person to whom it is addressed.  If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Mass General Brigham Compliance HelpLine at https://www.massgeneralbrigham.org/complianceline .

Please note that this e-mail is not secure (encrypted).  If you do not wish to continue communication over unencrypted e-mail, please notify the sender of this message immediately.  Continuing to send or respond to e-mail after receiving this message means you understand and accept this risk and wish to continue to communicate over unencrypted e-mail. 

[Will Ford [Wake Forest]]

updated  wazn-i2b2a-lx-1.medctr.ad.wfubmc.edu/i2b2_config_domains.json and no change in outcome

{
    "urlProxy": "proxy.php",

    "urlFramework": "js-i2b2/",
    "lstDomains": [
        {
            "domain": "i2b2demo",
            "name": "staging",
            "urlCellPM": "https://WAZN-I2B2A-LX-1.medctr.ad.wfubmc.edu/i2b2/services/PMService/",
            "allowAnalysis": true,
            "debug": false
        }
    ]
}

[Wattanasin, Nich]

Thanks for the confirmation.

For the logs, do you see anything in your Apache error logs (might be in error.log or ssl_error log)?

Just to mention, the log entries that you pasted look fine (those look like from the Apache access log). The numbers '553' and '489' are not HTTP error codes, but the context length of the payload. The HTTP code that's actually being received is 200 which is good:

192.168.49.2 - - [09/Jul/2024:12:21:30 +0000] "POST /proxy.php HTTP/1.1" 200 553 "https://wazn-i2b2a-lx-1.medctr.ad.wfubmc.edu/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0"

Thanks,

Nich

---

From: i2b2-ins...@googlegroups.com <i2b2-ins...@googlegroups.com> on behalf of Will Ford [Wake Forest] <wfor...@gmail.com>

Sent: Tuesday, July 9, 2024 10:16 AM

To: i2b2 Install Help <i2b2-ins...@googlegroups.com>

Subject: Re: Error with 1.8.1 webclient on login click - "There is a problem contacting the server!"

 

To view this discussion on the web visit https://groups.google.com/d/msgid/i2b2-install-help/aab0104c-59e1-4bfa-9400-4f8fbfdb78bdn%40googlegroups.com.

[Will Ford [Wake Forest]]

This is within a Docker container.  I confirmed that the access.log and other_vhosts_access.log are symlinked to stout and  error.log to stderr, so these would show in docker logs but there's nothing additional coming through.

I can provide more details about what I've setup if that helps.

Thanks!

Will

[Vaibhav Talap]

Hi Will,

can you please provide more information about the setup you have using for i2b2.
Also let us know which docker image used for Webclient.



Thanks,

Persistent Systems Support Team

[Will Ford [Wake Forest]]

Sure!

I'm using php:8.2.20-apache-bullseye. Below is my Dockerfile.  I'm using a multistage build to reduce the layers in the final image.

```Dockerfile

FROM debian:stable as base

RUN apt-get update && \
    apt-get -y install \
    ca-certificates wget unzip

COPY certificates/* /usr/local/share/ca-certificates

RUN update-ca-certificates

RUN wget "https://github.com/i2b2/i2b2-webclient/archive/refs/tags/v1.8.1.0001.zip" -O /tmp/webclient.zip && \
    unzip /tmp/webclient.zip i2b2-webclient-*/* -d /tmp/ && \
    mv /tmp/i2b2-webclient-* /tmp/i2b2-webclient

FROM php:8.2.20-apache-bullseye

COPY --from=base /tmp/i2b2-webclient .

COPY --chmod=755 ./i2b2/webclient/etc/entrypoint.sh .

ENTRYPOINT ["./entrypoint.sh"]
```

The entrypoint script just dynamically generates the i2b2_config_domains.json and runs the apache2-foregound process.

```shell

#!/bin/sh
set -e

cat > "i2b2_config_domains.json" <<EOF

{
        "urlProxy": "proxy.php",
        "urlFramework": "js-i2b2/",
        "lstDomains": [

                {   "domain": "${I2B2_DOMAIN}",
                        "name": "${I2B2_DOMAIN_HUMAN}",
                        "urlCellPM": "${I2B2_PM_URL}",
                        "allowAnalysis": true,
                        "debug": false
                }
        ]
}
EOF

exec apache2-foreground

```

Thanks!

Will

[Vaibhav Talap]

Hello Will,

 

We have successfully created a Webclient docker image from your docker file and have been able to recreate the issue you reported.
Our team is currently investigating the root cause of the problem and will provide you with an update as soon as possible.

Thanks,

Persistent Systems Support Team

[Will Ford [Wake Forest]]

Thank you looking into this for us. Can you provide any status or expectations I can share with my management?

Thanks!

Will

[Vaibhav Palat]

Hello Will,

Apologies for the delayed response. We have built the web client image using our Dockerfile, but we are still facing the same issues.
Initially, we suspect the issue may be in the Proxy.php file. We are currently debugging it and will provide you with further updates soon.

Thanks,
Persistent Systems Support Team

[Vaibhav Talap]

Hello Will,

Apologies for the delayed response. We have built the webclient image using our Dockerfile, but we are still facing the same issues.
Initially, we suspect the issue may be in the Proxy.php file. We are currently debugging it and will provide you with further updates soon.

Thanks,
Persistent Systems Support Team

[Diane Keogh]

Hello Vaibhav,

Any updates on this? 

On Jul 23, 2024, at 6:19 AM, Vaibhav Palat <palatv...@gmail.com> wrote:



To view this discussion on the web visit https://groups.google.com/d/msgid/i2b2-install-help/849e62f9-1164-42c8-9294-715398168894n%40googlegroups.com.

[Kevin Bui]

Hello,

From my experience, the problem has to do with the proxy.php file.  This is not an issue when using PHP 7.  If you're using PHP 8, use the proxy.php file from the webclient version 1.8.0.

Best,

Kevin

[Vaibhav Talap]

Hello Will,

Apologies for the delay in the response. We were able to reproduce the issue in our localhost using i2b2 dockerized version as mentioned in this thread.

We performed the following steps and resolved the issue in our localhost.

1.  Used the i2b2/i2b2c-web:release-1.3.1 as the base image (available on docker hub https://hub.docker.com/r/i2b2/i2b2c-web/tags).
2.  Clone the latest webclient code.
3.  Updated the proxy.php and i2b2_config_domains.json files.
4.  Copied the updated webclient code into docker container. ( docker cp i2b2-webclient  <webclient_container_id>:var/www/html/.
5.  Login to the webclient on localhost:i2b2-webclient.

code changes in proxy.php 

• update $pmURL = "http://i2b2-wildfly:8080/i2b2/rest/PMService/getServices";
• update whitelist array (i2b2-wildfly is a docker container name)

$WHITELIST = array(    "http" . (($_SERVER['SERVER_PORT'] == '443') ? 's' : '' ) . "://" . $_SERVER['HTTP_HOST'],

   "http://i2b2-wildfly",

    "http://127.0.0.1:9090",

    "http://127.0.0.1:8080",

    "http://127.0.0.1",

    "http://localhost:8080",

    "http://localhost:9090",

    "http://localhost"

);

code changes in i2b2_config_domains.json

"urlCellPM": "http://localhost/i2b2/services/PMService/"

Please let us know if you are able to resolve this issue.

Thanks,
Persistent Systems Support Team

[Vaibhav Talap]

Hello Will,

Apologies for the delay in the response. We were able to reproduce the issue in our localhost using i2b2 dockerized version as mentioned in this thread.

We performed the following steps and resolved the issue in our localhost.

1. Used the i2b2/i2b2c-web:release-1.3.1 as the base image (available on docker hub https://hub.docker.com/r/i2b2/i2b2c-web/tags).

2. Clone the latest webclient code.

3. Updated the proxy.php and i2b2_config_domains.json files.
4. Copied the updated webclient code into docker container. ( docker cp i2b2-webclient  <webclient_container_id>:var/www/html/.
5. Login to the webclient on localhost:i2b2-webclient.

code changes in proxy.php 

• update $pmURL = "http://i2b2-wildfly:8080/i2b2/rest/PMService/getServices";
• update whitelist array (i2b2-wildfly is a docker container name)

$WHITELIST = array(    "http" . (($_SERVER['SERVER_PORT'] == '443') ? 's' : '' ) . "://" . $_SERVER['HTTP_HOST'],

   "http://i2b2-wildfly",

    "http://127.0.0.1:9090",

    "http://127.0.0.1:8080",

    "http://127.0.0.1",

    "http://localhost:8080",

    "http://localhost:9090",

    "http://localhost"

);

code changes in i2b2_config_domains.json

"urlCellPM": "http://localhost/i2b2/services/PMService/"

Please let us know if you are able to resolve this issue.

Thanks,
Persistent Systems Support Team

[Aditya Vidap]

Hello Will,

Apologies for the delayed response,

we were able to reproduce the issue in our local dockerized environment as mentioned in this thread earlier and we resolved the issue by performing the following steps.

1.  We used the i2b2/i2b2c-web:release-1.3.1  as base docker image for webclient

available at dockerhub (https://hub.docker.com/r/i2b2/i2b2c-web/tags)

2. Cloned the latest webclient repository from GitHub, updated the proxy.php and i2b2_config_domains.json file.
3. Copied the webclient repository into webclient running container using command (docker cp i2b2-webclient/  <webclient_container_name>:var/www/html/ )
4. The weblient is now accessible at localhost:i2b2-webclient/ and we were able to login and run the query.

 

Snippet of proxy.php file: 

Updated the $pmURL and changed the $WHITELIST variable.

$pmURL = "http://i2b2-wildfly:8080/i2b2/rest/PMService/getServices";

$WHITELIST = array(

    "http" . (($_SERVER['SERVER_PORT'] == '443') ? 's' : '' ) . "://" . $_SERVER['HTTP_HOST'],

    "http://i2b2-wildfly",

    "http://127.0.0.1:9090",

    "http://127.0.0.1:8080",

    "http://127.0.0.1",

    "http://localhost:8080",

    "http://localhost:9090",

    "http://localhost"

);

 

Snippet for i2b2_config_domains.json file:

{

    "urlProxy": "proxy.php",

    "urlFramework": "js-i2b2/",

    "lstDomains": [

      { "domain": "i2b2demo",

        "name": "i2b2.org Demo",

        "urlCellPM": "http://localhost/i2b2/services/PMService/",

        "allowAnalysis": true,

        "debug": false  

      }

 

 

Please let us know if you need further assistance.

Thanks,
Persistent Systems Support team.

[Silvio, Domenick]

With the upgrade from 1.7.13 to 1.8.1, I was also seeing the “there is a problem contacting the server” error message on a server with:

 

Red Hat Enterprise Linux 8.10

Apache 2.4.57

Wildfly 17.0.1

PHP 7.2.24, upgraded this week to 8.2.11

 

None of the suggested changes to i2b2_config_domains.json or proxy.php made the slightest difference in resolving the error or with what I saw in the logs. When I replaced proxy.php with the i2b2 1.8.0 version (no changes, just overwrote the 1.8.1 version), the “problem contacting the server” error disappeared and logins to i2b2 v1.8.1 proceeded correctly. Thank you Kevin.

To view this discussion on the web visit https://groups.google.com/d/msgid/i2b2-install-help/169012f9-8586-4183-ab3b-74128decaf63n%40googlegroups.com.

**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues

[Will Ford [Wake Forest]]

I'll check the 1.8.0 version out!

I've been trying different modifications to the proxy.php and the most promising change was when I whitelisted the server's dns entry (fqdn since this is a dev machine). With that change it seems to be trying to connect, but eventually times out with pretty much the same error.  I went back and checked my 1.7.x instances and I didn't have to update the whitelist in index.php.

I'm happy to look at the Docker image you all are suggesting, but I need some specifics - a GitHub repo or something so I can understand the source image, the scripts that are added, etc.  In looking at the docker hub page, it has the commands that were run with each layer, but nothing more, and at quick glance looking in the i2b2 org in GitHub, I don't see what looks to be the source repo.

As an aside, I'm not sure how the GitHub releases are being handled in the i2b2-webclient and i2b2-core-server repos, but I don't fully understand why the 1.8.0 release was removed when the 1.8.1 was posted.

-Will

[Silvio, Domenick]

You can find the 1.8.0 release files here: https://www.i2b2.org/software/archive.html

To view this discussion on the web visit https://groups.google.com/d/msgid/i2b2-install-help/03c0b641-452f-479a-a037-25626b2fcdd4n%40googlegroups.com.

[Mendis, Michael E.]

Glad that you where able to login in.   When you get a chance can you diff the two proxy.php file (1.8.0 and 1.8.1) to see what difference is?

 

When I looked at the github they both appeared the same to me.

 

Thanks

mike

 

To view this discussion on the web visit https://groups.google.com/d/msgid/i2b2-install-help/FD533E27-868E-45B0-8F7E-060E79D69D1A%40med.umich.edu.

[Silvio, Domenick]

See attached. These were taken from the .zip files downloaded from i2b2.org.

To view this discussion on the web visit https://groups.google.com/d/msgid/i2b2-install-help/BL0PR04MB49941A91E95CA8085F45F4CFB3B32%40BL0PR04MB4994.namprd04.prod.outlook.com.

[Mendis, Michael E.]

Great thanks.   I take that back about the repos, my mistake.  

 

I see what you mean by the difference, I tested with php 7 and php 8.0 and i2b2 1.8.1 worked,  let me test with php 8.2 and see if it fails.

 

Thanks

mike

 

To view this discussion on the web visit https://groups.google.com/d/msgid/i2b2-install-help/C949FEAF-3EA6-4144-A20A-347482F31DE7%40med.umich.edu.

[Will Ford [Wake Forest]]

Hey Michael,

Have you made any progress on this?  I appreciate your efforts on this.  Our IT group has been pretty adamant on using current versions, specifically we had to push REDCap to php 8.2 to satisfy their requirements.

-Will

[Mendis, Michael E.]

I just installed php 8.2 on the i2b2 1.8.1 vm and was able to login.   Is there any errors in the httpd log or the wildfly server.log?   Another thing is using the debugger on the browser what is the response from the proxy.php?

 

-mike

 

To view this discussion on the web visit https://groups.google.com/d/msgid/i2b2-install-help/43757d8a-f87d-427e-9649-401216299b3fn%40googlegroups.com.

[Silvio, Domenick]

Will: our Apache configuration has DocumentRoot set to i2b2’s “webclient” directory and i2b2_config_domains.json calls proxy.php with this:

 

"urlProxy": "/proxy.php",

 

Our base server build uses the Red Hat package repositories, which only provides the older PHP 7. I installed PHP 8 in a non-standard directory and call it in httpd.conf with this:

 

PHPIniDir "/app/utilities/php8211"

To view this discussion on the web visit https://groups.google.com/d/msgid/i2b2-install-help/BL0PR04MB4994EB8D97EB73A95DFEC2FCB3872%40BL0PR04MB4994.namprd04.prod.outlook.com.

[Will Ford [Wake Forest]]

I'm not seeing anything in the server.log- last line being:

2024-08-16 08:23:13,675 INFO  [org.jboss.as.server] (management-handler-thread - 1) WFLYSRV0013: Redeployed "i2b2.war"

Nothing is being written to console in the browser when I input my username/password and click Login.  Just the modal with the error message happens.

I have the error that I mentioned in my first post, but they are when I first navigate to the site (w/n my first post if you needed).

Should I be changing to a new proxy.php?  I haven't changed anything nor can I download anything from google groups - locked out at work.

Thanks!

Will

[Will Ford [Wake Forest]]

I just wanted to circle back on this issue.  I'm am still having the issue and I'm not sure how to troubleshoot or resolve the issue I'm having.  I don't have the ability to download from this site due to IT Policy.  Should I try to get my hands on a different proxy.php or is there another modification I should try?

Thanks,

Will

[Will Ford [Wake Forest]]

Since I haven't heard anything I've been digging a bit more to solve my issue.  I'm not great with JS, but I can muddle my way through.  I've tracked back to the js-i2b2/cells/PM/PM_ctrlr.js file and noticed they are very different between the legacy client and the new one:

https://github.com/i2b2/i2b2-webclient/blob/main/js-i2b2/cells/PM/PM_ctrlr.js

https://github.com/i2b2/i2b2-webclient-classic/blob/master/js-i2b2/cells/PM/PM_ctrlr.js

I'm not entirely sure what the issue is, but digging around I noticed some things.  When I console.log the i2b2['PM'] object I see the following

- In .model.Domains, I see an array with item 0 that matches my i2b2_config_domains.json.  

- .cfg.cellURL is undefined

I checked the documentation, and per https://community.i2b2.org/wiki/display/getstarted/6.7+Authentication+in+i2b2 I don't need to make any configuration settings for Standard Auth.

Thanks,

Will

[Will Ford [Wake Forest]]

I was continuing to look through the code I have handy and noticed a few things:

the js-i2b2/cells/PM/i2b2_msgs.js file is different between my production copy and this 1.8.1 version even though the header content of the file lists it as unchanged (1.3 last updated 9-15-08).  

In the getUserAuth/message_header/security sectionit used to list domain/username/password, now has domain/username/ and something called sec_pass_node.  It looks like other calls in the past used this sec_pass_node, such as setProjectRequest, but not here (line 44).

[Will Ford [Wake Forest]]

I'm still looking at this and noticed something interesting.  I'm not sure if this is significant, but looking at the network calls I saw this error message:

Warning: session_start(): Session cannot be started after headers have already been sent in /var/www/html/proxy.php on line 58

Also, I was looking at the response and noticed the index.html on the new webclient has the old 1.7.09 block and vars - not sure if there are other differences.

Thanks,

Will

[Will Ford [Wake Forest]]

I went into the proxy.php file and added a phpinfo after the Blacklist and then commented everything below.  Then Navigated to proxy.php in my browser and generally everything looks as expected.

I remember reading something about using NodeJS rather than Apache - would I have a better experience going that route?  I need to get this upgrade underway because we need to move from basic auth to support our users in different domains.

Thanks,

Will

[Will Ford [Wake Forest]]

I've been looking through this and the problem I seem to be having is something around a "security fix" that was introduced in this proxy.php file. https://github.com/i2b2/i2b2-webclient/blob/main/proxy.php#L94C1-L94C94

That same fix wasn't present in the index.php file from the earlier version.  https://github.com/i2b2/i2b2-webclient-classic/blob/master/index.php

When I look at the response on the proxy.php file, I'm getting the following:

Warning: Undefined array key "port" in /var/www/html/proxy.php on line 109
Warning: Undefined array key "query" in /var/www/html/proxy.php on line 115
The proxy has refused to relay your request.

those lines are calling a sec_fix variable that is using the parse_url function from php https://www.php.net/manual/en/function.parse-url.php

In the latest changes to php, it looks like there's been some activity in the changelog around parse_url.

Can you describe what this security fix was trying to accomplish?  The note says: "SECURITY FIX: Prevent processing of any prepended user/pass when extracting the proxy URL," but I don't understand the context.

[Will Ford [Wake Forest]]

Can someone assist with this?  For I don't understand what "<redirect_url>" is supposed to be within the proxy.php file.  I don't think there's anything in place to replace this placeholder, and don't understand what the security fix note is trying to tell me about.

Thanks,

Will

[Vaibhav Talap]

Hello Will,

1. The Security Fix

The fix aims to mitigate potential vulnerabilities in the way proxy URLs are processed, specifically around user credentials being included in URLs. For example, URLs like:

http://username:password@host/path

could lead to unintended exposure of sensitive information (username and password). This behavior is controlled by the parse_url() function, which can extract components of a URL (scheme, host, port, path, etc.).

What the Fix Does

1. It ensures that any user (PHP_URL_USER) or password (PHP_URL_PASS) embedded in the proxyURL is ignored.
2. It reconstructs the URL after validating its components (scheme, host, port, path, etc.).
3. If the URL is malformed (e.g., missing a host or having an invalid scheme), the script exits immediately to avoid processing unsafe requests.

This prevents:
• Accidental inclusion of user credentials in logs or responses.
• Redirection to malformed or malicious URLs.


2. Purpose of <redirect_url>

<redirect_url> is a placeholder tag in the POST request body. The script extracts the content between <redirect_url> and </redirect_url> to get the URL the client is trying to access via the proxy.

Example:
If the POST body contains:

<proxy>
<redirect_url>http://example.com/resource</redirect_url>
</proxy>

The script extracts http://example.com/resource as the target URL for the proxy to relay the request.

Thanks,

Persistent Systems Support Team