Deploying aggregate server behind reverse proxy

Hello,

We are deploying the aggregate server behind a reverse proxy. We'd like to do SSL termination at the proxy for a variety of reasons but have run into some problems. I searched the forum and do not see any mention of this configuration, so thought I would ask.

The fundamental problem we have encountered so far is in our inability to change passwords because we are now dealing with "Mixed Content" - the page is served as https by our proxy, but a hardcoded request to /ssl/user-manage-passwords is being called over http.

I imagine someone has addressed this and hoping they can help us find a good solution. Some thoughts on our end include the following options, each have their challenges:

1. in the installation, choose SSL option which should create the hard-coded configuration for calls to HTTPS but don't actually have an SSL cert on the server - not sure how to do this.

2. Edit some property file so this hard coding doesn't happen or the hard coding is to HTTPS - i imagine this would be the security.properties file, but not sure.

3. Edit source code - we are Java developers, but I don't have anyone available to work on this for a few weeks...

Thanks in advance.

Cord

You might be able to get around this by having the connection between the
proxy and the ODK Aggregate server be https (SSL). You could use a
self-signed cert for that link.

You would then run the ODK Aggregate installer, select that you do have an
SSL cert, etc. The hostname and ports would be the hostname and ports of
your proxy.

The proxy would terminate the external SSL connection and open an SSL
connection to the ODK Aggregate server. It would need to pass through the
server cookies; some of the more sensitive communications (e.g., change
password) use access to the session cookie to prevent XSS.

This should allow you to change passwords.

Changing the configuration to use http is probably not possible, as the web
page needs to know the schema to use for the AJAX request to change
passwords. So if you got Aggregate to accept http, you would probably also
have inadvertently changed the webpage so that it sent an http request.

You might be able to get around this by having the connection between the proxy and the ODK Aggregate server be https (SSL). You could use a self-signed cert for that link.

You would then run the ODK Aggregate installer, select that you do have an SSL cert, etc. The hostname and ports would be the hostname and ports of your proxy.

The proxy would terminate the external SSL connection and open an SSL connection to the ODK Aggregate server. It would need to pass through the server cookies; some of the more sensitive communications (e.g., change password) use access to the session cookie to prevent XSS.

This should allow you to change passwords.

Changing the configuration to use http is probably not possible, as the web page needs to know the schema to use for the AJAX request to change passwords. So if you got Aggregate to accept http, you would probably also have inadvertently changed the webpage so that it sent an http request.

Hello,

We are deploying the aggregate server behind a reverse proxy. We'd like to do SSL termination at the proxy for a variety of reasons but have run into some problems. I searched the forum and do not see any mention of this configuration, so thought I would ask.

The fundamental problem we have encountered so far is in our inability to change passwords because we are now dealing with "Mixed Content" - the page is served as https by our proxy, but a hardcoded request to /ssl/user-manage-passwords is being called over http.

I imagine someone has addressed this and hoping they can help us find a good solution. Some thoughts on our end include the following options, each have their challenges:

1. in the installation, choose SSL option which should create the hard-coded configuration for calls to HTTPS but don't actually have an SSL cert on the server - not sure how to do this.

2. Edit some property file so this hard coding doesn't happen or the hard coding is to HTTPS - i imagine this would be the security.properties file, but not sure.

3. Edit source code - we are Java developers, but I don't have anyone available to work on this for a few weeks...

Thanks in advance.

Cord

--

--

Post: opend...@googlegroups.com

Unsubscribe: opendatakit...@googlegroups.com

Options: http://groups.google.com/group/opendatakit?hl=en

---

You received this message because you are subscribed to the Google Groups "ODK Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to opendatakit...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Mitch Sundt
Software Engineer
University of Washington
mitche...@gmail.com

Thank you Mitch. We'll let you know where we go with this.