Bug 1162293 - Unable to reverse proxy traffic to JON UI
Summary: Unable to reverse proxy traffic to JON UI
Alias: None
Product: JBoss Operations Network
Classification: JBoss
Component: UI
Version: JON 3.3.0
Hardware: x86_64
OS: Linux
Target Milestone: ER01
: JON 3.3.1
Assignee: Libor Zoubek
QA Contact: Viet Nguyen
Depends On:
TreeView+ depends on / blocked
Reported: 2014-11-10 18:57 UTC by Viet Nguyen
Modified: 2015-11-02 00:44 UTC (History)
3 users (show)

Clone Of:
Last Closed: 2015-02-27 19:58:18 UTC

Attachments (Terms of Use)
nginx access.log (68.86 KB, text/plain)
2015-01-27 20:59 UTC, Viet Nguyen
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Bugzilla 1215648 None None None Never

Internal Trackers: 1215648

Description Viet Nguyen 2014-11-10 18:57:47 UTC
Use case: 

Set up a nginx reverse proxy to pass traffic to JON UI for load balancing/overcoming network restrictions.

Internet -> public_ip -> nginx -> http://localhost:7080 (or private internal ip)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
0. install JON
1. install nginx 
2. create the following config file in 

# cat /etc/nginx/conf.d/jon.conf

server {
   listen 80;

   location / {
      proxy_pass http://localhost:7080/;

# reload config
# nginx -s reload

3. Verify JON is up @ http://<host>:7080

4. Turn on Firebugs and access JON via the proxy @ http://<host>:80
You'll get the usual error message for bad login credential. For correct credential JON seems to try to load the next page then show the login page.

Firebugs log: "SEVERE: RHQ server was probably restarted. Showing the login page."

Comment 2 Libor Zoubek 2014-11-12 09:01:33 UTC
This issue happens because JON GWT client sends "RHQ_Session" http header to server to authorize itself (once it recieves value during login process). By default headers containing underscore are ignored by nginx and not bypassed to backend server. Viet, you can enable it this way:

server {
   listen 80;
   underscores_in_headers on;
   location / {
      proxy_pass http://localhost:7080/;

then you should be able to log in.

Fix for this BZ is to rename RHQ_Session header to RHQ-Session, then it will work behind nginx without underscores_in_headers.

Comment 3 Viet Nguyen 2014-11-12 14:30:09 UTC
Thanks. That works!  Keeping the BZ open as this tweak is worth a KB entry.

Comment 4 Libor Zoubek 2014-11-13 09:35:29 UTC
branch:  master
link:    https://github.com/rhq-project/rhq/commit/d497b14b8
time:    2014-11-13 10:33:00 +0100
commit:  d497b14b896fb2c25253f0d32a5598b5c8685046
author:  Libor Zoubek - lzoubek@redhat.com
message: Bug 1162293 - Unable to reverse proxy traffic to JON UI

         Got rid of _ in RHQ specific HTTP header names, so when running
         behind nginx, directive underscores_in_headers on; is on longer

Comment 6 Michael Burman 2015-01-14 07:04:51 UTC
Cherry-picked to release/jon3.3.x:

commit 48d455eb4bece45e031ff741b2484329d537679d
Author: Libor Zoubek <lzoubek@redhat.com>
Date:   Thu Nov 13 10:33:00 2014 +0100

    Bug 1162293 - Unable to reverse proxy traffic to JON UI
    Got rid of _ in RHQ specific HTTP header names, so when running behind
    nginx, directive underscores_in_headers on; is on longer required
    (cherry picked from commit d497b14b896fb2c25253f0d32a5598b5c8685046)

Comment 7 Simeon Pinder 2015-01-26 08:15:04 UTC
Moving to ON_QA as available for test with the latest 3.3.1.ER01 bits from here:

Comment 8 Viet Nguyen 2015-01-27 20:58:08 UTC
I can now log in JON via reserve proxy URL

Comment 9 Viet Nguyen 2015-01-27 20:59:18 UTC
Created attachment 984872 [details]
nginx access.log

Note You need to log in before you can comment on or make changes to this bug.