XNAT behind a VIP

[Gary Bennett]

I would like to configure my XNAT to terminate SSL on a load-balancer VIP.  However, when the VIP passes 8080 traffic to the internal host, subsequent URLs use the internal host name and not the VIP FQDN.  What can I change so that all connections go through the VIP?

TIA for any assistance or suggestions.

gary

[Rick Herrick]

That really depends on what you're using for the load balancer. It should be translating URLs back and forth, usually based on header values. For example, with nginx you can do something like this:

proxy_pass                          http://localhost:8080;

proxy_redirect                      http://localhost:8080 $scheme://localhost;

proxy_set_header Host               $host;

proxy_set_header X-Real-IP          $remote_addr;

proxy_set_header X-Forwarded-Host   $host;

proxy_set_header X-Forwarded-Server $host;

proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;

This sends requests on to localhost port 8080, which is where Tomcat is running relatively to the nginx instance. The other headers help keep track of the IP address where the request originally came from (since it'll look to Tomcat like it came from localhost), the original host name (i.e. the address for the VIP), etc.

When XNAT itself cooks up URLs it should always be using the site URL, so you should make sure that's set to the VIP address.

--
You received this message because you are subscribed to the Google Groups "xnat_discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to xnat_discussi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/xnat_discussion/f18a2e31-0c0a-4ed8-8fdd-587ce191dec9n%40googlegroups.com.

[Gary Bennett]

Thanks, Rick. I'm not using an intermediate Apache or nginx proxy. Have a Netscaler VIP that redirects to port 8080 on the internal FQDN:

VIP:  resxnat.ufhealth.org

Internal host:   res-xnat.ahc.ufl.edu

- Requests to https://resxnat.ufhealth.org/xnat (VIP) are redirected to res-xnat.ahc.ufl.edu:8080 (internal host)

- The URL becomes https://resxnat.ufhealth.org/xnat/app/template/Login.vm#!.   (shows the VIP, not the internal host)

- If the acct already exists and login successful, goes to https://resxnat.ufhealth.org/xnat/app/template/Index.vm?login=true  (shows the VIP, not the internal host)  This is all good and all traffic still going through VIP.

However, if the acct doesn't exist, the login attempt goes to http://res-xnat.ahc.ufl.edu:8080/xnat/app/template/RegisterExternalLogin.vm#! (reflects the internal host and isn't using the VIP ssl port).  If I substitute the part in bold above w/the VIP resxnat.ufhealth.org, works as expected.

It only fails in the case that the acct hasn't been approved yet. Is there any config change I can make? 

Thanks, again, for your assistance.

gary

You received this message because you are subscribed to a topic in the Google Groups "xnat_discussion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/xnat_discussion/mLML1EUI01A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to xnat_discussi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/xnat_discussion/CAKWsZO3c0OPDNup2yKSmUG4%2BuDexcYoZc%3DJSD5SkDOsA%3DFhogQ%40mail.gmail.com.