exist-development

[Exist-development] Problem with XQuery URL Rewrite behind reverse proxy

[Adam R. <ad...@ex...>]

I am attempting to use XQueryURLRewrite behind a reverse proxy, and
would ideally like to use configuration in controller-config.xml
similar to the following -

<root server-name="www.adamretter.org.uk" pattern="/*"
path="xmldb:exist:///db/adamretter.org.uk/"/>
<root server-name="www.expath.org" pattern="/*"
path="xmldb:exist:///db/expath.org/"/>
<root server-name="www.xquery.org.uk" pattern="/*"
path="xmldb:exist:///db/xquery.org.uk/"/>

However the server-name is evaluated against the request server name
(see lines 121 and 152 of org/exist/http/urlrewrite/RewriteConfig and
line 423 of org/exist/http/urlrewrite/XQueryURLRewrite).

If you are behind a reverse proxy then the server name will always be
localhost, I think we should make a configurable change here so that
the server name can either be taken from
HttpServletRequestWrapper.getServerName() or a http header set by the
reverse proxy - e.g.
HttpServletRequestWrapper.getHeader("X-Forwarded-For").

I would propose that this configurable option needs to go in the
filter config, e.g. -


<filter enabled="yes" path="/*"
class="org.exist.http.urlrewrite.XQueryURLRewrite">
        <param name="config" value="xmldb:exist:///db/controller-config.xml"/>

        <!-- override the server name src -->
        <param name="server-name-header">X-Forwarded-For</param>
</filter>


All seem okay with everyone?

There may be other aspects of the URL that we may want to make
configurable if you are running behind a reverse proxy?

Cheers Adam.


-- 
Adam Retter

eXist Developer
{ United Kingdom }
ad...@ex...
irc://irc.freenode.net/existdb

Re: [Exist-development] Problem with XQuery URL Rewrite behind reverse proxy

[Dannes W. <da...@ex...>]

Hi,

On Tue, Jun 15, 2010 at 12:14 AM, Adam Retter <ad...@ex...> wrote:

> There may be other aspects of the URL that we may want to make
> configurable if you are running behind a reverse proxy?

This has been on my list quite some time... good to see that others
have the same issue as well. I guess the issue is much broader, in the
'request' function-namespace there are a few functions affected by the
same subject... and the webstart functionality as well.

Probably it should be an database wide configuration item.

Please read the 'specs' carefully... there are a few implementations
that do approximately the same. E.g.
http://en.wikipedia.org/wiki/X-Forwarded-For

You cannot use the header right away, it must be parsed first (take
first item of list? or last?)

read more on http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
(revere proxy headers), there are a few more headers you could
check...... be aware of that!

cheers

Dannes



-- 
eXist-db Native XML Database - http://exist-db.org
Join us on linked-in: http://www.linkedin.com/groups?gid=35624

Re: [Exist-development] Problem with XQuery URL Rewrite behind reverse proxy

[José M. F. G. <jm...@us...>]

Hi Adam,
	I think HTTP header X-Forwarded-For is not the one you need. It is attached and updated by proxies (it can contain more than one address), and it contains the host names or IP addresses from the sender or senders of the request (the original machine plus the previous crossed proxies in the query journey). <offtopic>But, if the proxy attaches the IP address instead of the DNS name, and multiple DNS names resolve to the same IP address, you are busted.</offtopic>

	As Dannes has written, you should read more on http://httpd.apache.org/docs/2.2/mod/mod_proxy.html . There you can find the header you probably need, which is X-Forwarded-Host . But as I don't know its behavior, I cannot give you more details.

	Good luck!
		José María

On 06/15/10 08:13, Dannes Wessels wrote:
> Hi,
>
> On Tue, Jun 15, 2010 at 12:14 AM, Adam Retter<ad...@ex...>  wrote:
>
>> There may be other aspects of the URL that we may want to make
>> configurable if you are running behind a reverse proxy?
>
> This has been on my list quite some time... good to see that others
> have the same issue as well. I guess the issue is much broader, in the
> 'request' function-namespace there are a few functions affected by the
> same subject... and the webstart functionality as well.
>
> Probably it should be an database wide configuration item.
>
> Please read the 'specs' carefully... there are a few implementations
> that do approximately the same. E.g.
> http://en.wikipedia.org/wiki/X-Forwarded-For
>
> You cannot use the header right away, it must be parsed first (take
> first item of list? or last?)
>
> read more on http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
> (revere proxy headers), there are a few more headers you could
> check...... be aware of that!
>
> cheers
>
> Dannes
>
>
>

-- 
"La violencia es el último recurso del incompetente"
	- Salvor Hardin en "La Fundación" de Isaac Asimov
"Premature optimization is the root of all evil." - Donald Knuth

José María Fernández González
e-mail: jos...@gm...

Re: [Exist-development] Problem with XQuery URL Rewrite behind reverse proxy

[Adam R. <ad...@ex...>]

Okay I have managed to get around to finally fixing the issues I was
experiencing. The problem was not with the server name itself. I use
nginx as my reverse proxy and I can configure nginx to correctly pass
the server name directly to eXist in the proxied request by setting -

proxy_set_header        Host                    $host;

There was then an issue with the server-name checks you can setup in
controller-config.xml when searching for controller.xql files. I have
now fixed these as revision 12650.

Cheers Adam.


-- 
Adam Retter

eXist Developer
{ United Kingdom }
ad...@ex...
irc://irc.freenode.net/existdb



2010/6/15 José María Fernández González <jm...@us...>:
> Hi Adam,
>        I think HTTP header X-Forwarded-For is not the one you need. It is
> attached and updated by proxies (it can contain more than one address), and
> it contains the host names or IP addresses from the sender or senders of the
> request (the original machine plus the previous crossed proxies in the query
> journey). <offtopic>But, if the proxy attaches the IP address instead of the
> DNS name, and multiple DNS names resolve to the same IP address, you are
> busted.</offtopic>
>
>        As Dannes has written, you should read more on
> http://httpd.apache.org/docs/2.2/mod/mod_proxy.html . There you can find the
> header you probably need, which is X-Forwarded-Host . But as I don't know
> its behavior, I cannot give you more details.
>
>        Good luck!
>                José María
>
> On 06/15/10 08:13, Dannes Wessels wrote:
>>
>> Hi,
>>
>> On Tue, Jun 15, 2010 at 12:14 AM, Adam Retter<ad...@ex...>  wrote:
>>
>>> There may be other aspects of the URL that we may want to make
>>> configurable if you are running behind a reverse proxy?
>>
>> This has been on my list quite some time... good to see that others
>> have the same issue as well. I guess the issue is much broader, in the
>> 'request' function-namespace there are a few functions affected by the
>> same subject... and the webstart functionality as well.
>>
>> Probably it should be an database wide configuration item.
>>
>> Please read the 'specs' carefully... there are a few implementations
>> that do approximately the same. E.g.
>> http://en.wikipedia.org/wiki/X-Forwarded-For
>>
>> You cannot use the header right away, it must be parsed first (take
>> first item of list? or last?)
>>
>> read more on http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
>> (revere proxy headers), there are a few more headers you could
>> check...... be aware of that!
>>
>> cheers
>>
>> Dannes
>>
>>
>>
>
> --
> "La violencia es el último recurso del incompetente"
>        - Salvor Hardin en "La Fundación" de Isaac Asimov
> "Premature optimization is the root of all evil." - Donald Knuth
>
> José María Fernández González
> e-mail: jos...@gm...
>



-- 
Adam Retter

eXist Developer
{ United Kingdom }
ad...@ex...
irc://irc.freenode.net/existdb