Bug 1162293

Summary: Unable to reverse proxy traffic to JON UI
Product: [JBoss] JBoss Operations Network Reporter: Viet Nguyen <vnguyen>
Component: UIAssignee: Libor Zoubek <lzoubek>
Status: CLOSED CURRENTRELEASE QA Contact: Viet Nguyen <vnguyen>
Severity: medium Docs Contact:
Priority: unspecified    
Version: JON 3.3.0CC: loleary, miburman, theute
Target Milestone: ER01   
Target Release: JON 3.3.1   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-27 19:58:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
nginx access.log none

Description Viet Nguyen 2014-11-10 18:57:47 UTC 
Use case: 

Set up a nginx reverse proxy to pass traffic to JON UI for load balancing/overcoming network restrictions.

Internet -> public_ip -> nginx -> http://localhost:7080 (or private internal ip)


Version-Release number of selected component (if applicable):
JON3.3

How reproducible:
100%

Steps to Reproduce:
0. install JON
1. install nginx 
2. create the following config file in 

# cat /etc/nginx/conf.d/jon.conf

server {
   listen 80;

   location / {
      proxy_pass http://localhost:7080/;
   }
}

# reload config
# nginx -s reload

3. Verify JON is up @ http://<host>:7080

4. Turn on Firebugs and access JON via the proxy @ http://<host>:80
You'll get the usual error message for bad login credential. For correct credential JON seems to try to load the next page then show the login page.

Firebugs log: "SEVERE: RHQ server was probably restarted. Showing the login page."
Comment 2 Libor Zoubek 2014-11-12 09:01:33 UTC 
This issue happens because JON GWT client sends "RHQ_Session" http header to server to authorize itself (once it recieves value during login process). By default headers containing underscore are ignored by nginx and not bypassed to backend server. Viet, you can enable it this way:

server {
   listen 80;
   underscores_in_headers on;
   location / {
      proxy_pass http://localhost:7080/;
   }
}

then you should be able to log in.

Fix for this BZ is to rename RHQ_Session header to RHQ-Session, then it will work behind nginx without underscores_in_headers.
Comment 3 Viet Nguyen 2014-11-12 14:30:09 UTC 
Thanks. That works!  Keeping the BZ open as this tweak is worth a KB entry.
Comment 4 Libor Zoubek 2014-11-13 09:35:29 UTC 
branch:  master
link:    https://github.com/rhq-project/rhq/commit/d497b14b8
time:    2014-11-13 10:33:00 +0100
commit:  d497b14b896fb2c25253f0d32a5598b5c8685046
author:  Libor Zoubek - lzoubek
message: Bug 1162293 - Unable to reverse proxy traffic to JON UI

         Got rid of _ in RHQ specific HTTP header names, so when running
         behind nginx, directive underscores_in_headers on; is on longer
         required
Comment 6 Michael Burman 2015-01-14 07:04:51 UTC 
Cherry-picked to release/jon3.3.x:

commit 48d455eb4bece45e031ff741b2484329d537679d
Author: Libor Zoubek <lzoubek>
Date:   Thu Nov 13 10:33:00 2014 +0100

    Bug 1162293 - Unable to reverse proxy traffic to JON UI
    
    Got rid of _ in RHQ specific HTTP header names, so when running behind
    nginx, directive underscores_in_headers on; is on longer required
    
    (cherry picked from commit d497b14b896fb2c25253f0d32a5598b5c8685046)
Comment 7 Simeon Pinder 2015-01-26 08:15:04 UTC 
Moving to ON_QA as available for test with the latest 3.3.1.ER01 bits from here:
http://download.devel.redhat.com/brewroot/packages/org.jboss.on-jboss-on-parent/3.3.0.GA/12/maven/org/jboss/on/jon-server-patch/3.3.0.GA/jon-server-patch-3.3.0.GA.zip
Comment 8 Viet Nguyen 2015-01-27 20:58:08 UTC 
I can now log in JON via reserve proxy URL
Comment 9 Viet Nguyen 2015-01-27 20:59:18 UTC 
Created attachment 984872 [details]
nginx access.log