1162293 – Unable to reverse proxy traffic to JON UI

Bug 1162293 - Unable to reverse proxy traffic to JON UI

Summary: Unable to reverse proxy traffic to JON UI

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Operations Network
Classification:	JBoss
Component:	UI
Sub Component:
Version:	JON 3.3.0
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	ER01
Target Release:	JON 3.3.1
Assignee:	Libor Zoubek
QA Contact:	Viet Nguyen
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-11-10 18:57 UTC by Viet Nguyen
Modified:	2015-11-02 00:44 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-02-27 19:58:18 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)
nginx access.log (68.86 KB, text/plain) 2015-01-27 20:59 UTC, Viet Nguyen	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1215648	0	unspecified	CLOSED	Reverse proxy in front of JBoss ON does not render the login page but shows the html source of the page	2021-02-22 00:41:40 UTC

Internal Links: 1215648

Description Viet Nguyen 2014-11-10 18:57:47 UTC

Use case: 

Set up a nginx reverse proxy to pass traffic to JON UI for load balancing/overcoming network restrictions.

Internet -> public_ip -> nginx -> http://localhost:7080 (or private internal ip)


Version-Release number of selected component (if applicable):
JON3.3

How reproducible:
100%

Steps to Reproduce:
0. install JON
1. install nginx 
2. create the following config file in 

# cat /etc/nginx/conf.d/jon.conf

server {
   listen 80;

   location / {
      proxy_pass http://localhost:7080/;
   }
}

# reload config
# nginx -s reload

3. Verify JON is up @ http://<host>:7080

4. Turn on Firebugs and access JON via the proxy @ http://<host>:80
You'll get the usual error message for bad login credential. For correct credential JON seems to try to load the next page then show the login page.

Firebugs log: "SEVERE: RHQ server was probably restarted. Showing the login page."

Comment 2 Libor Zoubek 2014-11-12 09:01:33 UTC

This issue happens because JON GWT client sends "RHQ_Session" http header to server to authorize itself (once it recieves value during login process). By default headers containing underscore are ignored by nginx and not bypassed to backend server. Viet, you can enable it this way:

server {
   listen 80;
   underscores_in_headers on;
   location / {
      proxy_pass http://localhost:7080/;
   }
}

then you should be able to log in.

Fix for this BZ is to rename RHQ_Session header to RHQ-Session, then it will work behind nginx without underscores_in_headers.

Comment 3 Viet Nguyen 2014-11-12 14:30:09 UTC

Thanks. That works!  Keeping the BZ open as this tweak is worth a KB entry.

Comment 4 Libor Zoubek 2014-11-13 09:35:29 UTC

branch:  master
link:    https://github.com/rhq-project/rhq/commit/d497b14b8
time:    2014-11-13 10:33:00 +0100
commit:  d497b14b896fb2c25253f0d32a5598b5c8685046
author:  Libor Zoubek - lzoubek
message: Bug 1162293 - Unable to reverse proxy traffic to JON UI

         Got rid of _ in RHQ specific HTTP header names, so when running
         behind nginx, directive underscores_in_headers on; is on longer
         required

Comment 6 Michael Burman 2015-01-14 07:04:51 UTC

Cherry-picked to release/jon3.3.x:

commit 48d455eb4bece45e031ff741b2484329d537679d
Author: Libor Zoubek <lzoubek>
Date:   Thu Nov 13 10:33:00 2014 +0100

    Bug 1162293 - Unable to reverse proxy traffic to JON UI
    
    Got rid of _ in RHQ specific HTTP header names, so when running behind
    nginx, directive underscores_in_headers on; is on longer required
    
    (cherry picked from commit d497b14b896fb2c25253f0d32a5598b5c8685046)

Comment 7 Simeon Pinder 2015-01-26 08:15:04 UTC

Moving to ON_QA as available for test with the latest 3.3.1.ER01 bits from here:
http://download.devel.redhat.com/brewroot/packages/org.jboss.on-jboss-on-parent/3.3.0.GA/12/maven/org/jboss/on/jon-server-patch/3.3.0.GA/jon-server-patch-3.3.0.GA.zip

Comment 8 Viet Nguyen 2015-01-27 20:58:08 UTC

I can now log in JON via reserve proxy URL

Comment 9 Viet Nguyen 2015-01-27 20:59:18 UTC

Created attachment 984872 [details]
nginx access.log

Note You need to log in before you can comment on or make changes to this bug.