-
-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UI not working behind reverse proxy #656
Comments
Sorry for the late reply – we are going to look into the issue and will fix it with the next release. Minor question: Doesn’t the reverse proxy rewrite the Location header in a 3xx response? |
A typical Apachew config snippet will look like this:
In this case, yes, the Apache server will rewrite any Location response header field. But only if its value starts with Otherwise, the value stays unmodified. |
Ah! So adding a config parameter for the authority portion of the URI would be a solution here? |
It not only the Location header. Resource references within HTML pages also start with a leading "/ui" . So if a config parameter would fix both cases then yes, that might be a solution. |
Finally picking this up again – sorry again for the delays. Using relative references in the UI app turns out tricky. But, an alternative option would be to deploy the UI separately. It can build with a changed base path and Routinator API path. Would that be an option for you? |
Hm. At least ti might be a workaround. With an origin server behind a reverse proxy, you will sometimes want to be able to use both access paths in parallel. Directly to the origin server an via reverse proxy. So in both scenarios the UI should be working. Deploying the UI with modifying the base path and Routinator API path might allow that. Only if you want to adjust the visible path on the reverse proxy (an infrequent operation), you have to remember to adjust the paths on the origin server accordingly. However, an important aspect would be that the references in the UI do not contain the origin part of the access URI (https://<host>:<port>), since this would prevent parallel access. |
My first impulse was to provide a pull request. But I did not find an easy obvious place where a quick moderate change would be enough. 😉 |
Could a similar approach that Graylog uses work here also? If the software is hosted behind a reverse proxy, the proxy can insert a header which is the root URL of the application behind the proxy server. Then the actual application server uses that URL to generate all links and URLS for that connection. Each reverse proxy can have their own configs and the server respects the provided information. So the user would just need to set the correct header and allow these in the application (by default these are not trusted). Example for Graylog: Another way would be to configure a directory prefix for routinator eg. /routinator/. Then the reverse proxy would work just fine. |
We were planning on coming back to this as part of the next release since we rebuilt the entire UI. The idea would be that if you need a special location for the UI, you can build it directly for your needs from the repository. That will end up as a bunch of assets that you can then just serve as files and only need a reverse proxy to provide access the the /api endpoint. When building the UI, you can specify where that lives as well, so it can also be anywhere. Would that be an option? For reference, the UI is here: https://github.com/NLnetLabs/routinator-ui/ – there’s some instruction in the README, but we’d provide detailed building instructions as part of the Routinator manual. PS: The new UI will work with older versions of Routinator as well, in case you want to give it a try. |
Would this work for the binary package as well? If so, then this would work totally fine but one annoyance comes to mind - if the web-part of the application gets updated, the administrator would need to manually build the UI part. But even so, the build command could be setup to run for example as a systemd preexec line so that will always be run when the software starts. |
Version: Routinator 0.10.1
Platform: Ubuntu 20.04 Docker image on Debian host
Context:
We are running Routinator as a docker container internally for a leading german Telecom provider.
In our scenario the Routinator instance is only accessible via a reverse proxy. The proxy also adjusts the exposed URIs:
https://[rev-proxy.company.de]/rpki/routinator/[forwarded-path]
Problem:
This common reverse proxy scenario is currently not supported by the UI.
/
triggers a 301 redirect response with Location header field/ui/
, which will usually not be rewritten by the reverse proxy, since it's not an absolute URI.<link href="/ui/css/app.css" rel="stylesheet">
. The user agents will resolve these references according to RFC 7231 ashttps://[rev-proxy.company.de]/ui/[asset-path]
.In both cases the resulting URI will be denied by the reverse proxy.
Expected:
ui/
,../ui/
orhttp://<origin.server.name>/ui/
.<link href="ui/css/app.css" rel="stylesheet">
, or<link href="../ui/css/app.css" rel="stylesheet">
The text was updated successfully, but these errors were encountered: