Installing ODK Aggregate behind an SSL load balancer - issues

What is the problem? Please be detailed.

I have installed ODK Aggregate on an EC2 instance behind an application load balancer on AWS. I have overcome a number of issues so far with the installation and succeeded in getting the web UI working and logged in. However changing the password of a user is not working as it tries to use HTTP rather than HTTPS in one configuration or if it tries HTTPS then it gets into the infinite redirect loop.

What ODK tool and version are you using? And on what device and operating system version?

ODK v1.4.12 on Amazon Linux

What steps can we take to reproduce the problem?

Set up an application load balancer with an SSL certificate. Set up ODK Aggregate on the server running on port 8080 then apache on port 80 which redirects to port 8080. The load balancer listens on port 443 (HTTPS) and forwards the request on port 80 to the EC2 instance.

What you have you tried to fix the problem?

In the security.properties file I have tried:

security.server.secureChannelType=ANY_CHANNEL
security.server.channelType=ANY_CHANNEL
security.server.port=80
security.server.securePort=443

which allows the load balancer to redirect to the server and a user can log in.

However the password change directs to the link using HTTP rather than HTTPS. If I change security.server.secureChannelType to REQUIRES_SECURE_CHANNEL then it links to HTTPS but then there is infinite redirects.

I think it is because Aggregate gets the incoming request on HTTP from the load balancer and therefore thinks it is not secure and redirects to HTTPS. How can I tell it to not care what it gets?

I think this is similar to ODK Redirection Issue - Way to Edit Redirection Path Manually? and the OP never responded, but I looked around a bit and I don't think running behind an SSL load balancer is currently possible.

Mitch noted last year at Aggregate Redirect Loop that

You must choose a specific hostname and port for ODK Aggregate, and you must specify that hostname and port when you run the installer. We require this because (1) exports to CSV and KML files include embedded links back to the server, (2) publishers transmit embedded links in the rows sent to external servers, (3) SSL certificates are bound to specific hostnames, (4) if using a proxy or load balancer, the load balancer's public name will be different than the local hostname. For all of these reasons, and to minimize support and configuration problems, we require and enforce all links and pages to be under a specific user-specified hostname and port.

@ggalmazor How is your load balance fu?

That makes sense: Aggregate's hostname should be set to the balancer's DNS name for all those reasons Mitch gives.

However, I can see the problem @markb happening when it's the balancer who is adding the SSL layer.

I haven't studied that part of Aggregate yet, but it seems like what we would need is something like the ANY_CHANNEL config on the security section but also generate links with the HTTPS schema. I don't know if such configuration is currently possible.

Hi all,

I'm the previous OP from the load balancer issue mentioned before.

The last thing we tried was to bridge the SSL between the load balancer and the domain name for the VM, but it didn't work either. Happy to help with testing on any of these issues as well, but I can imagine this configuration might not be possible.

Thanks,
Kyle

1 Like

@Kyle and @markb, @ggalmazor just filed an issue at https://github.com/opendatakit/aggregate/issues/253 so we can fix this in Aggregate. Once we have a potential fix, would either of you be able to try it?

I would be happy to try it, I’ll monitor the issue but just let me know when you have a fix.

Thanks to everyone for all the work on this!
Kyle

Hi, @kyle!

We have worked out a fix for the same setup you're trying to make work (PR #254)

It'd be great to get your feedback you're willing to try it in your environment. You can get a WAR file with the fix here. You will have to manually configure Aggregate for your database and networking specifics, and I'll be glad to help you with anything.

The key networking conf params to make it work behind the load balancer are these:

security.server.secureChannelType=REQUIRES_INSECURE_CHANNEL
security.server.channelType=REQUIRES_INSECURE_CHANNEL
security.server.forceHttpsLinks=true
security.server.hostname=odk.ggalmazor.com
security.server.port=80
security.server.securePort=443

* Replace odk.ggalmazor.com with your load balancer's public IP address or its domain name

Please let me know if you need anything else. We can chat on ODK's Slack #aggregate-code channel too.

1 Like

Hi, @kyle!

Just wanted to ping you about this issue. We're holding for some days a new release of Aggregate just in case we can get your feedback on this new conf param. Have you had a chance to try it?