Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Websocket configuration on apache reverse proxy.

105 views
Skip to first unread message

Fernando Carpani

unread,
May 29, 2024, 3:44:32 PM5/29/24
to inception-users
Hello.
Finally I have the installation of 32.3 working behind one reverse proxy.

But, the websocket configuration is tricky :-).

I'm using an apache 2.4.37 on Centos 8. This version, doesn't support (apparently) the upgrade to websocket in prox_http.

I'm can access to inception with two adresses: http://localhost:20580/inception or http://localhost:20580/<some path>/inception .... and both are working.

So, I've used the "old" configuration using mod_rewrite, but in my client (Brave - Chrome), still I have:

WebSocket connection to 'ws://localhost/inception/ws' failed: ...

Some question about this address:

  • This address,  must not be changed by something like ws://localhost:20580/inception/ws ?
  • There is some configuration to control how this address is generated by Inception?
Thanks.
FDO.
I could see that the ws

Richard Eckart de Castilho

unread,
May 30, 2024, 2:46:36 AM5/30/24
to incepti...@googlegroups.com
Hi,

> On 29. May 2024, at 21:44, Fernando Carpani <fernando...@gmail.com> wrote:
>
> • This address, must not be changed by something like ws://localhost:20580/inception/ws ?

If your Apache HTTPD reverse proxy is running on a non-standard port (e.g. 20580 instead of 80 or 443),
then yes.

> • There is some configuration to control how this address is generated by Inception?

Normally, INCEpTION gets the address from the reverse proxy.

Could you please access the Administration page within INCEpTION. There should be a list
of flags by which INCEpTION tries to self-check a correct reverse proxy configuration and give hints
(note this is still under development any may not be perfect).

In particular, there should be a "Client URL" and "Server URL" line which tell us if the URL
you enter in the browser is matching the one seen by INCEpTION.

-- Richard

Fernando Carpani

unread,
May 30, 2024, 8:40:04 AM5/30/24
to incepti...@googlegroups.com
Hello again and thanks for the answer.

The 20580 is not the proxy port. It's a ssh tunnel port to reach the proxy on 80. In the future, we need to pass through another proxy but we don't have administrator rights on that proxy. 

The addresses from the view of Inception are, initially, correct:
image.png
We have some options:
  • If the server URL is taken  from some header we can try to edit (or create) the header in the proxy, but which header? The Forwarded for or by or X-Forwarded ?
  • In the browser, we can see the following: image.png
  • So if we can use mod_subtitute or mod_sed, in theory, we can edit this content.
 Are we right with these options ? There are some other options which we don't see ?

Thanks.
FDO.

--
You received this message because you are subscribed to the Google Groups "inception-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to inception-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/inception-users/AE57FC1E-B048-4767-8139-B40A32B803AB%40gmail.com.

Richard Eckart de Castilho

unread,
May 30, 2024, 8:58:35 AM5/30/24
to incepti...@googlegroups.com
Hi,

> The addresses from the view of Inception are, initially, correct:

If the server URL does not start with the client URL, then it is not correctly set up.

Client URL: http://localhost:20580/mh/dev/inception/manage/overview.html
Server URL: http://localhost/inception

> The 20580 is not the proxy port. It's a ssh tunnel port to reach the proxy on 80. In the future, we need to pass through another proxy but we don't have administrator rights on that proxy.

If you want to test your setup using an ssh tunnel, you would need to do this:

- create an alias for your public INCEpTION host name using the address 127.0.0.1 in your /etc/hosts file
- set up the ssh tunnel to forward local port 80 (or 443) to port 80 (or 443) on your reverse proxy host
(see https://unix.stackexchange.com/questions/554141/ssh-remoteportforw-binding-privileged-port)

When you now tell your browser to connect to your public INCEpTION host, the request should instead go through the ssh tunnel to the reverse proxy and from there to INCEpTION.

Do not forget to remove the entry in /etc/hosts again when you close the ssh tunnel.

Now you should be able to see if INCEpTION gets the correct headers from your reverse proxy. If it does, then the client URL listed on the administration page should start with the server URL.

Your proxy should provide these headers:

- x-forwarded-for - IP of the browser initiating the request
- x-forwarded-host - host requested by the browser
- x-forwarded-port - port requested by the browser
- x-forwarded-proto - protocol requested by the browser

The WS connection URL will be constructed using proto + host + port as well as the server.servlet.context-path from your `settings.properties`.

<proto>://<host>(:<port>)/<server.servlet.context-path>

So what you want to see on the administration page is probably this:

Client URL: http://<my.public.host>/mh/dev/inception/manage/overview.html
Server URL: http://<my.public.host>/mh/dev/inception

Cheers,

-- Richard

Richard Eckart de Castilho

unread,
May 30, 2024, 9:02:24 AM5/30/24
to incepti...@googlegroups.com

> On 30. May 2024, at 14:39, Fernando Carpani <fernando...@gmail.com> wrote:
>
> In the future, we need to pass through another proxy but we don't have administrator rights on that proxy.

Mind that you do not have to set up your own reverse proxy if there is already one running at your institution.

You can have your institutions reverse proxy connect directly to your INCEpTION instance - just provide the proxy admins with the setup instructions from the INCEpTION Admin Guide so they know how they need to set up the connection.

Having only one reverse proxy instead of a chain of proxies can make things significantly easier.

Cheers,

-- Richard

Fernando Carpani

unread,
May 30, 2024, 9:17:02 AM5/30/24
to incepti...@googlegroups.com
Thanks ! I'll try that !.
FDO.

--
You received this message because you are subscribed to the Google Groups "inception-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to inception-use...@googlegroups.com.

Fernando Carpani

unread,
May 30, 2024, 9:36:51 AM5/30/24
to incepti...@googlegroups.com
Most institutions don't need to setup a second reverse proxy, but we think that we need:
  • We make prototypes that have security restrictions because we are working on (and testing inception with) some sensible information. These restrictions are enforced by the second proxy.
  • The institutional system administration is responsible for the systems of 11 institutes and some administrative service. Any detailed configuration is delayed until our time and we need test changes  before that time. If we send some kind of solution, then they can be put in production faster.
We'll try yor suggestions !
Thanks
FDO

--
You received this message because you are subscribed to the Google Groups "inception-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to inception-use...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages