ODK Aggregate behind proxy not working correctly

Armin_Krauss · August 25, 2015, 6:26pm

Hello,

We are having trouble getting ODK to work nicely behind a nginx proxy. The problem we see is that the user can call the ODK instance via https, but when we try to change the password, the interaction fails since the JSON call is directed via http to port 8080 (screenshot https://www.dropbox.com/s/9pvugby2o89r27k/Screenshot%202015-08-25%2014.19.37.png?dl=0). Tomcat runs on 8080 but the port is closed via a firewall.

So here is what we would like to achieve:

nginx is the proxy and handles SSL encryption
Tomcat and ODK know that they are behind a proxy and play nice.

How can I achieve this? I have tried the installer with and without SSL, changing ports from 8080 to 80 (8443 to 443) but either I get too many redirect warnings in the browser or the page loads but password resets go to 8080 or 8443 and that doesn't work (ports blocked).

What is the correct answer in the installer to generate a war file that plays well behind a proxy?

How do I change server.xml of Tomcat to support this correctly?

Here is my server.xml connector:

nginx setting:

location / {
proxy_set_header X_Forwarded_Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Url-Scheme $scheme;
proxy_redirect off;
proxy_max_temp_file_size 0;
proxy_pass http://127.0.0.1:8080/;
proxy_read_timeout 60;
}

Any thoughts on what I could try to further trouble shoot? Right now I am able to login via a HTTPS connection but when I attempt to change a user password it fails since the request is a HTTP request on port 8080.

Armin

Colin · August 25, 2015, 7:38pm

To follow up on this. We have made progress (I am working with Armin on this).

We have changed the settings in the ODKAggregate-settings.jar, setting
security.server.port=80
security.server.securePort=443

This change has allowed us to successfully change passwords, but only over http. That is, if logged in to Aggregate on https, changing a pw in the Admin tab will prompt an alert:
JSON change-password request to http://epione.lmbutler.net/DisclosureR01/ssl/user-manage-passwords failed.

Looking in the console, we can see:
Mixed Content: The page at 'https://epione.lmbutler.net/DisclosureR01/Aggregate.html' was loaded over HTTPS, but requested an insecure script 'http://epione.lmbutler.net/DisclosureR01/ssl/user-manage-passwords?user…=colinm&digestAuthHash=6505d484f7124e905fb8bf8128e3324e&callback=callback0'. This request has been blocked; the content must be served over HTTPS.

Running over http allows password changes just fine (which makes sense, given the above).

Any thoughts on how to get password changes over HTTPS, or other directions we might look?

Thanks

···

On Tuesday, August 25, 2015 at 2:26:21 PM UTC-4, mack...@gmail.com wrote: > Hello, > > We are having trouble getting ODK to work nicely behind a nginx proxy. The problem we see is that the user can call the ODK instance via https, but when we try to change the password, the interaction fails since the JSON call is directed via http to port 8080 (screenshot https://www.dropbox.com/s/9pvugby2o89r27k/Screenshot%202015-08-25%2014.19.37.png?dl=0). Tomcat runs on 8080 but the port is closed via a firewall. > > So here is what we would like to achieve: > > - nginx is the proxy and handles SSL encryption > - Tomcat and ODK know that they are behind a proxy and play nice. > > How can I achieve this? I have tried the installer with and without SSL, changing ports from 8080 to 80 (8443 to 443) but either I get too many redirect warnings in the browser or the page loads but password resets go to 8080 or 8443 and that doesn't work (ports blocked). > > What is the correct answer in the installer to generate a war file that plays well behind a proxy? > > How do I change server.xml of Tomcat to support this correctly? > > Here is my server.xml connector: > > connectionTimeout="300000" > URIEncoding="UTF-8" > maxPostSize="16777216" > redirectPort="8443" > scheme="https" > proxyPort="443" > /> > > nginx setting: > > location / { > proxy_set_header X_Forwarded_Proto https; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header Host $host; > proxy_set_header X-Url-Scheme $scheme; > proxy_redirect off; > proxy_max_temp_file_size 0; > proxy_pass http://127.0.0.1:8080/; > proxy_read_timeout 60; > } > > Any thoughts on what I could try to further trouble shoot? Right now I am able to login via a HTTPS connection but when I attempt to change a user password it fails since the request is a HTTP request on port 8080. > > Armin

Mitch_S · August 26, 2015, 6:03pm

Did you use the ODK Aggregate installer to generate your WAR file?

It sounds like you did not select that you had an SSL certificate for your
server when you ran the installer, so the configuration is attempting to
use http: instead of SSL.

Re-run the installer specifying that you have an SSL cert, and that you
want to use port 80 and 443 and specify the hostname that users can use to
contact your server.

You should then be able to simply use that WAR file and not change anything
manually.

···

On Tue, Aug 25, 2015 at 12:38 PM, wrote:

To follow up on this. We have made progress (I am working with Armin on
this).

We have changed the settings in the ODKAggregate-settings.jar, setting
security.server.port=80
security.server.securePort=443

This change has allowed us to successfully change passwords, but only
over http. That is, if logged in to Aggregate on https, changing a pw in
the Admin tab will prompt an alert:
JSON change-password request to
http://epione.lmbutler.net/DisclosureR01/ssl/user-manage-passwords failed.

Looking in the console, we can see:
Mixed Content: The page at '
https://epione.lmbutler.net/DisclosureR01/Aggregate.html' was loaded over
HTTPS, but requested an insecure script '
http://epione.lmbutler.net/DisclosureR01/ssl/user-manage-passwords?user…=colinm&digestAuthHash=6505d484f7124e905fb8bf8128e3324e&callback=callback0'.
This request has been blocked; the content must be served over HTTPS.

Running over http allows password changes just fine (which makes sense,
given the above).

Any thoughts on how to get password changes over HTTPS, or other
directions we might look?

Thanks

On Tuesday, August 25, 2015 at 2:26:21 PM UTC-4, mack...@gmail.com wrote:

Hello,

We are having trouble getting ODK to work nicely behind a nginx proxy.
The problem we see is that the user can call the ODK instance via https,
but when we try to change the password, the interaction fails since the
JSON call is directed via http to port 8080 (screenshot
https://www.dropbox.com/s/9pvugby2o89r27k/Screenshot%202015-08-25%2014.19.37.png?dl=0).
Tomcat runs on 8080 but the port is closed via a firewall.

So here is what we would like to achieve:

nginx is the proxy and handles SSL encryption

Tomcat and ODK know that they are behind a proxy and play nice.

How can I achieve this? I have tried the installer with and without SSL,
changing ports from 8080 to 80 (8443 to 443) but either I get too many
redirect warnings in the browser or the page loads but password resets go
to 8080 or 8443 and that doesn't work (ports blocked).

What is the correct answer in the installer to generate a war file that
plays well behind a proxy?

How do I change server.xml of Tomcat to support this correctly?

Here is my server.xml connector:

nginx setting:

location / {
proxy_set_header X_Forwarded_Proto https;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Url-Scheme $scheme;
proxy_redirect off;
proxy_max_temp_file_size 0;
proxy_pass http://127.0.0.1:8080/;
proxy_read_timeout 60;
}

Any thoughts on what I could try to further trouble shoot? Right now I
am able to login via a HTTPS connection but when I attempt to change a user
password it fails since the request is a HTTP request on port 8080.

Armin

--

Post: opendatakit@googlegroups.com
Unsubscribe: opendatakit+unsubscribe@googlegroups.com
Options: http://groups.google.com/group/opendatakit?hl=en

You received this message because you are subscribed to the Google Groups
"ODK Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Mitch Sundt
Software Engineer
University of Washington
mitchellsundt@gmail.com

Armin_Krauss · August 26, 2015, 7:46pm

Hi Mitch,

Thanks for your answer. Yes we generated the war file with your installer and yes I answered no to the SSL certificate since I don't use the cert in Tomcat but in nginx.

We just did what you suggested and unfortunately it doesn't work. We get a warning:

"The webpage has a redirect loop"

Is there a comprehensive documentation of the options in the installer that I have missed? Would be really good to know what each answer means and how it will behave.

Our interest is in how to run ODK behind a reverse nginx proxy and therefore I wonder about the ports 80 and 443 since these are not the actual ports that Tomcat runs on. We run Tomcat on 8080 and proxy 80 and 443 to that port.

Do we need to active another connector in Tomcat to get port 8443 working and proxy 443 traffic there?

Thanks for any suggestion to solve this problem.

Armin

···

On Wednesday, August 26, 2015 at 2:03:22 PM UTC-4, Mitch Sundt wrote: > Did you use the ODK Aggregate installer to generate your WAR file? > > > It sounds like you did not select that you had an SSL certificate for your server when you ran the installer, so the configuration is attempting to use http: instead of SSL. > > > Re-run the installer specifying that you have an SSL cert, and that you want to use port 80 and 443 and specify the hostname that users can use to contact your server. > > > You should then be able to simply use that WAR file and not change anything manually. > > > > > > > On Tue, Aug 25, 2015 at 12:38 PM, wrote: > To follow up on this. We have made progress (I am working with Armin on this). > > > > We have changed the settings in the ODKAggregate-settings.jar, setting > > security.server.port=80 > > security.server.securePort=443 > > > > This change has allowed us to successfully change passwords, but *only over http*. That is, if logged in to Aggregate on https, changing a pw in the Admin tab will prompt an alert: > > JSON change-password request to http://epione.lmbutler.net/DisclosureR01/ssl/user-manage-passwords failed. > > > > Looking in the console, we can see: > > Mixed Content: The page at 'https://epione.lmbutler.net/DisclosureR01/Aggregate.html' was loaded over HTTPS, but requested an insecure script 'http://epione.lmbutler.net/DisclosureR01/ssl/user-manage-passwords?user…=colinm&digestAuthHash=6505d484f7124e905fb8bf8128e3324e&callback=callback0'. This request has been blocked; the content must be served over HTTPS. > > > > Running over http allows password changes just fine (which makes sense, given the above). > > > > > > Any thoughts on how to get password changes over HTTPS, or other directions we might look? > > > > > > Thanks > > > > > > > > On Tuesday, August 25, 2015 at 2:26:21 PM UTC-4, mack...@gmail.com wrote: > > > Hello, > > > > > > We are having trouble getting ODK to work nicely behind a nginx proxy. The problem we see is that the user can call the ODK instance via https, but when we try to change the password, the interaction fails since the JSON call is directed via http to port 8080 (screenshot https://www.dropbox.com/s/9pvugby2o89r27k/Screenshot%202015-08-25%2014.19.37.png?dl=0). Tomcat runs on 8080 but the port is closed via a firewall. > > > > > > So here is what we would like to achieve: > > > > > > - nginx is the proxy and handles SSL encryption > > > - Tomcat and ODK know that they are behind a proxy and play nice. > > > > > > How can I achieve this? I have tried the installer with and without SSL, changing ports from 8080 to 80 (8443 to 443) but either I get too many redirect warnings in the browser or the page loads but password resets go to 8080 or 8443 and that doesn't work (ports blocked). > > > > > > What is the correct answer in the installer to generate a war file that plays well behind a proxy? > > > > > > How do I change server.xml of Tomcat to support this correctly? > > > > > > Here is my server.xml connector: > > > > > > > > connectionTimeout="300000" > > > URIEncoding="UTF-8" > > > maxPostSize="16777216" > > > redirectPort="8443" > > > scheme="https" > > > proxyPort="443" > > > /> > > > > > > nginx setting: > > > > > > location / { > > > proxy_set_header X_Forwarded_Proto https; > > > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > > > proxy_set_header Host $host; > > > proxy_set_header X-Url-Scheme $scheme; > > > proxy_redirect off; > > > proxy_max_temp_file_size 0; > > > proxy_pass http://127.0.0.1:8080/; > > > proxy_read_timeout 60; > > > } > > > > > > Any thoughts on what I could try to further trouble shoot? Right now I am able to login via a HTTPS connection but when I attempt to change a user password it fails since the request is a HTTP request on port 8080. > > > > > > Armin > > > > -- > > -- > > Post: opend...@googlegroups.com > > Unsubscribe: opendatakit...@googlegroups.com > > Options: http://groups.google.com/group/opendatakit?hl=en > > > > --- > > You received this message because you are subscribed to the Google Groups "ODK Community" group. > > To unsubscribe from this group and stop receiving emails from it, send an email to opendatakit...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > Mitch Sundt > Software Engineer > University of Washington > mitche...@gmail.com

Mitch_S · August 26, 2015, 8:24pm

In the installer, you should specify the hostname and ports that are used
publicly by your clients.

I.e., if you are behind a load balancer, you would specify the hostname or
IP address of the load balancer.

Perhaps you didn't specify the hostname that nginx is using?

Because the export to CSV and publishers generate fully-qualified links
(URLs) to binary content inside their generated documents, they need to be
able to reconstruct the full public URL to the server. On Tomcat, these
long-lived actions run in a background Executor that doesn't have access to
a ServletContext and therefore cannot determine the server URL without a
static configuration value. Similarly, when changing passwords, the
javascript construct the full public URL to the change-password servlet
(this was to support a cross-site call when the main access was using
http:// and the secure access was using https:// -- the installer doesn't
provide this option, though via manual configuration you can configure
that).

The questions during the installer gather this information.

I suspect the IP address or hostname is messed up.

···

On Wed, Aug 26, 2015 at 12:46 PM, wrote:

Hi Mitch,

Thanks for your answer. Yes we generated the war file with your installer
and yes I answered no to the SSL certificate since I don't use the cert in
Tomcat but in nginx.

We just did what you suggested and unfortunately it doesn't work. We get a
warning:

"The webpage has a redirect loop"

Is there a comprehensive documentation of the options in the installer
that I have missed? Would be really good to know what each answer means and
how it will behave.

Our interest is in how to run ODK behind a reverse nginx proxy and
therefore I wonder about the ports 80 and 443 since these are not the
actual ports that Tomcat runs on. We run Tomcat on 8080 and proxy 80 and
443 to that port.

Do we need to active another connector in Tomcat to get port 8443 working
and proxy 443 traffic there?

Thanks for any suggestion to solve this problem.

Armin

On Wednesday, August 26, 2015 at 2:03:22 PM UTC-4, Mitch Sundt wrote:
Did you use the ODK Aggregate installer to generate your WAR file?

It sounds like you did not select that you had an SSL certificate for
your server when you ran the installer, so the configuration is attempting
to use http: instead of SSL.

Re-run the installer specifying that you have an SSL cert, and that you
want to use port 80 and 443 and specify the hostname that users can use to
contact your server.

You should then be able to simply use that WAR file and not change
anything manually.

On Tue, Aug 25, 2015 at 12:38 PM, colind...@gmail.com wrote:
To follow up on this. We have made progress (I am working with Armin on
this).

We have changed the settings in the ODKAggregate-settings.jar, setting

security.server.port=80

security.server.securePort=443

This change has allowed us to successfully change passwords, but only
over http. That is, if logged in to Aggregate on https, changing a pw in
the Admin tab will prompt an alert:

JSON change-password request to
http://epione.lmbutler.net/DisclosureR01/ssl/user-manage-passwords failed.

Looking in the console, we can see:

Mixed Content: The page at '
https://epione.lmbutler.net/DisclosureR01/Aggregate.html' was loaded over
HTTPS, but requested an insecure script '
http://epione.lmbutler.net/DisclosureR01/ssl/user-manage-passwords?user…=colinm&digestAuthHash=6505d484f7124e905fb8bf8128e3324e&callback=callback0'.
This request has been blocked; the content must be served over HTTPS.

Running over http allows password changes just fine (which makes sense,
given the above).

Any thoughts on how to get password changes over HTTPS, or other
directions we might look?

Thanks

On Tuesday, August 25, 2015 at 2:26:21 PM UTC-4, mack...@gmail.com wrote:

Hello,

We are having trouble getting ODK to work nicely behind a nginx proxy.
The problem we see is that the user can call the ODK instance via https,
but when we try to change the password, the interaction fails since the
JSON call is directed via http to port 8080 (screenshot
https://www.dropbox.com/s/9pvugby2o89r27k/Screenshot%202015-08-25%2014.19.37.png?dl=0).
Tomcat runs on 8080 but the port is closed via a firewall.

So here is what we would like to achieve:

nginx is the proxy and handles SSL encryption

Tomcat and ODK know that they are behind a proxy and play nice.

How can I achieve this? I have tried the installer with and without
SSL, changing ports from 8080 to 80 (8443 to 443) but either I get too many
redirect warnings in the browser or the page loads but password resets go
to 8080 or 8443 and that doesn't work (ports blocked).

What is the correct answer in the installer to generate a war file
that plays well behind a proxy?

How do I change server.xml of Tomcat to support this correctly?

Here is my server.xml connector:

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="300000"
           URIEncoding="UTF-8"
           maxPostSize="16777216"
           redirectPort="8443"
           scheme="https"
           proxyPort="443"
     />
nginx setting:

location / {
            proxy_set_header X_Forwarded_Proto https;
            proxy_set_header  X-Forwarded-For
$proxy_add_x_forwarded_for;
            proxy_set_header  Host $host;
            proxy_set_header  X-Url-Scheme $scheme;
            proxy_redirect    off;
            proxy_max_temp_file_size 0;
            proxy_pass http://127.0.0.1:8080/;
            proxy_read_timeout 60;
    }
Any thoughts on what I could try to further trouble shoot? Right now I
am able to login via a HTTPS connection but when I attempt to change a user
password it fails since the request is a HTTP request on port 8080.

Armin

--

--

Post: opend...@googlegroups.com

Unsubscribe: opendatakit...@googlegroups.com

Options: http://groups.google.com/group/opendatakit?hl=en

You received this message because you are subscribed to the Google
Groups "ODK Community" group.

To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Mitch Sundt
Software Engineer
University of Washington
mitche...@gmail.com
--

Post: opendatakit@googlegroups.com
Unsubscribe: opendatakit+unsubscribe@googlegroups.com
Options: http://groups.google.com/group/opendatakit?hl=en

You received this message because you are subscribed to the Google Groups
"ODK Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Mitch Sundt
Software Engineer
University of Washington
mitchellsundt@gmail.com

Armin_Krauss · August 26, 2015, 8:41pm

Hi Mitch,

I do specify the hostname in the installer. I ran the installer twice. One time I said no SSL with port 80 only. The second time I said SSL with port 80 and 443.

I deployed both war files and the instance with port 80 only runs the one with port 443 has a redirect loop.

Any Tomcat or nginx settings that I should check or post here to look at?

Armin

···

On Wednesday, August 26, 2015 at 4:24:46 PM UTC-4, Mitch Sundt wrote: > In the installer, you should specify the hostname and ports that are used publicly by your clients. > > > I.e., if you are behind a load balancer, you would specify the hostname or IP address of the load balancer. > > > Perhaps you didn't specify the hostname that nginx is using? > > > Because the export to CSV and publishers generate fully-qualified links (URLs) to binary content inside their generated documents, they need to be able to reconstruct the full public URL to the server. On Tomcat, these long-lived actions run in a background Executor that doesn't have access to a ServletContext and therefore cannot determine the server URL without a static configuration value. Similarly, when changing passwords, the javascript construct the full public URL to the change-password servlet (this was to support a cross-site call when the main access was using http:// and the secure access was using https:// -- the installer doesn't provide this option, though via manual configuration you can configure that). > > > The questions during the installer gather this information. > > > I suspect the IP address or hostname is messed up. > > > > > On Wed, Aug 26, 2015 at 12:46 PM, wrote: > Hi Mitch, > > > > Thanks for your answer. Yes we generated the war file with your installer and yes I answered no to the SSL certificate since I don't use the cert in Tomcat but in nginx. > > > > We just did what you suggested and unfortunately it doesn't work. We get a warning: > > > > "The webpage has a redirect loop" > > > > Is there a comprehensive documentation of the options in the installer that I have missed? Would be really good to know what each answer means and how it will behave. > > > > Our interest is in how to run ODK behind a reverse nginx proxy and therefore I wonder about the ports 80 and 443 since these are not the actual ports that Tomcat runs on. We run Tomcat on 8080 and proxy 80 and 443 to that port. > > > > Do we need to active another connector in Tomcat to get port 8443 working and proxy 443 traffic there? > > > > Thanks for any suggestion to solve this problem. > > > > Armin > > > > > > > > On Wednesday, August 26, 2015 at 2:03:22 PM UTC-4, Mitch Sundt wrote: > > > Did you use the ODK Aggregate installer to generate your WAR file? > > > > > > > > > It sounds like you did not select that you had an SSL certificate for your server when you ran the installer, so the configuration is attempting to use http: instead of SSL. > > > > > > > > > Re-run the installer specifying that you have an SSL cert, and that you want to use port 80 and 443 and specify the hostname that users can use to contact your server. > > > > > > > > > You should then be able to simply use that WAR file and not change anything manually. > > > > > > > > > > > > > > > > > > > > > > > On Tue, Aug 25, 2015 at 12:38 PM, wrote: > > > To follow up on this. We have made progress (I am working with Armin on this). > > > > > > > > > > > > We have changed the settings in the ODKAggregate-settings.jar, setting > > > > > > security.server.port=80 > > > > > > security.server.securePort=443 > > > > > > > > > > > > This change has allowed us to successfully change passwords, but *only over http*. That is, if logged in to Aggregate on https, changing a pw in the Admin tab will prompt an alert: > > > > > > JSON change-password request to http://epione.lmbutler.net/DisclosureR01/ssl/user-manage-passwords failed. > > > > > > > > > > > > Looking in the console, we can see: > > > > > > Mixed Content: The page at 'https://epione.lmbutler.net/DisclosureR01/Aggregate.html' was loaded over HTTPS, but requested an insecure script 'http://epione.lmbutler.net/DisclosureR01/ssl/user-manage-passwords?user…=colinm&digestAuthHash=6505d484f7124e905fb8bf8128e3324e&callback=callback0'. This request has been blocked; the content must be served over HTTPS. > > > > > > > > > > > > Running over http allows password changes just fine (which makes sense, given the above). > > > > > > > > > > > > > > > > > > Any thoughts on how to get password changes over HTTPS, or other directions we might look? > > > > > > > > > > > > > > > > > > Thanks > > > > > > > > > > > > > > > > > > > > > > > > On Tuesday, August 25, 2015 at 2:26:21 PM UTC-4, mack...@gmail.com wrote: > > > > > > > Hello, > > > > > > > > > > > > > > We are having trouble getting ODK to work nicely behind a nginx proxy. The problem we see is that the user can call the ODK instance via https, but when we try to change the password, the interaction fails since the JSON call is directed via http to port 8080 (screenshot https://www.dropbox.com/s/9pvugby2o89r27k/Screenshot%202015-08-25%2014.19.37.png?dl=0). Tomcat runs on 8080 but the port is closed via a firewall. > > > > > > > > > > > > > > So here is what we would like to achieve: > > > > > > > > > > > > > > - nginx is the proxy and handles SSL encryption > > > > > > > - Tomcat and ODK know that they are behind a proxy and play nice. > > > > > > > > > > > > > > How can I achieve this? I have tried the installer with and without SSL, changing ports from 8080 to 80 (8443 to 443) but either I get too many redirect warnings in the browser or the page loads but password resets go to 8080 or 8443 and that doesn't work (ports blocked). > > > > > > > > > > > > > > What is the correct answer in the installer to generate a war file that plays well behind a proxy? > > > > > > > > > > > > > > How do I change server.xml of Tomcat to support this correctly? > > > > > > > > > > > > > > Here is my server.xml connector: > > > > > > > > > > > > > > > > > > > > connectionTimeout="300000" > > > > > > > URIEncoding="UTF-8" > > > > > > > maxPostSize="16777216" > > > > > > > redirectPort="8443" > > > > > > > scheme="https" > > > > > > > proxyPort="443" > > > > > > > /> > > > > > > > > > > > > > > nginx setting: > > > > > > > > > > > > > > location / { > > > > > > > proxy_set_header X_Forwarded_Proto https; > > > > > > > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > > > > > > > proxy_set_header Host $host; > > > > > > > proxy_set_header X-Url-Scheme $scheme; > > > > > > > proxy_redirect off; > > > > > > > proxy_max_temp_file_size 0; > > > > > > > proxy_pass http://127.0.0.1:8080/; > > > > > > > proxy_read_timeout 60; > > > > > > > } > > > > > > > > > > > > > > Any thoughts on what I could try to further trouble shoot? Right now I am able to login via a HTTPS connection but when I attempt to change a user password it fails since the request is a HTTP request on port 8080. > > > > > > > > > > > > > > Armin > > > > > > > > > > > > -- > > > > > > -- > > > > > > Post: opend...@googlegroups.com > > > > > > Unsubscribe: opendatakit...@googlegroups.com > > > > > > Options: http://groups.google.com/group/opendatakit?hl=en > > > > > > > > > > > > --- > > > > > > You received this message because you are subscribed to the Google Groups "ODK Community" group. > > > > > > To unsubscribe from this group and stop receiving emails from it, send an email to opendatakit...@googlegroups.com. > > > > > > For more options, visit https://groups.google.com/d/optout. > > > > > > > > > > > > > > > > > > -- > > > > > > Mitch Sundt > > > Software Engineer > > > University of Washington > > > mitche...@gmail.com > > > > > > -- > > -- > > Post: opend...@googlegroups.com > > Unsubscribe: opendatakit...@googlegroups.com > > Options: http://groups.google.com/group/opendatakit?hl=en > > > > --- > > You received this message because you are subscribed to the Google Groups "ODK Community" group. > > To unsubscribe from this group and stop receiving emails from it, send an email to opendatakit...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > Mitch Sundt > Software Engineer > University of Washington > mitche...@gmail.com

Mitch_S · August 26, 2015, 11:05pm

I haven't played around with this deployment configuration, so I can't
really say.

Aggregate doesn't need intelligent re-write of the documents returned to
the client when it runs behind a proxy. The software and installer
configuration insures that Aggregate will return page content that is
appropriate to appear as if it were served off the proxy (the hostname and
ports configured in the installer).

The nginx proxy needs to forward 80 and 443 traffic through to the
Aggregate server (on ports 8080 and 8443). If you want to proxy and modify
the traffic, the nginx server will need to preserve the use of https:
scheme traffic through to Aggregate -- i.e., you must install the SSL cert
on Tomcat as well.

That would allow external parties to contact nginx, have nginx do any
auth/firewall action it wants, then forward the request, preserving https
usage, on to Aggregate.

If you accept https: traffic on nginx then forward the traffic as http: to
Aggregate, that will not work.

···

On Wed, Aug 26, 2015 at 1:41 PM, wrote:

Hi Mitch,

I do specify the hostname in the installer. I ran the installer twice. One
time I said no SSL with port 80 only. The second time I said SSL with port
80 and 443.

I deployed both war files and the instance with port 80 only runs the one
with port 443 has a redirect loop.

Any Tomcat or nginx settings that I should check or post here to look at?

Armin

On Wednesday, August 26, 2015 at 4:24:46 PM UTC-4, Mitch Sundt wrote:
In the installer, you should specify the hostname and ports that are
used publicly by your clients.

I.e., if you are behind a load balancer, you would specify the hostname
or IP address of the load balancer.

Perhaps you didn't specify the hostname that nginx is using?

Because the export to CSV and publishers generate fully-qualified links
(URLs) to binary content inside their generated documents, they need to be
able to reconstruct the full public URL to the server. On Tomcat, these
long-lived actions run in a background Executor that doesn't have access to
a ServletContext and therefore cannot determine the server URL without a
static configuration value. Similarly, when changing passwords, the
javascript construct the full public URL to the change-password servlet
(this was to support a cross-site call when the main access was using
http:// and the secure access was using https:// -- the installer doesn't
provide this option, though via manual configuration you can configure
that).

The questions during the installer gather this information.

I suspect the IP address or hostname is messed up.

On Wed, Aug 26, 2015 at 12:46 PM, mack...@gmail.com wrote:
Hi Mitch,

Thanks for your answer. Yes we generated the war file with your
installer and yes I answered no to the SSL certificate since I don't use
the cert in Tomcat but in nginx.

We just did what you suggested and unfortunately it doesn't work. We get
a warning:

"The webpage has a redirect loop"

Is there a comprehensive documentation of the options in the installer
that I have missed? Would be really good to know what each answer means and
how it will behave.

Our interest is in how to run ODK behind a reverse nginx proxy and
therefore I wonder about the ports 80 and 443 since these are not the
actual ports that Tomcat runs on. We run Tomcat on 8080 and proxy 80 and
443 to that port.

Do we need to active another connector in Tomcat to get port 8443
working and proxy 443 traffic there?

Thanks for any suggestion to solve this problem.

Armin

On Wednesday, August 26, 2015 at 2:03:22 PM UTC-4, Mitch Sundt wrote:

Did you use the ODK Aggregate installer to generate your WAR file?

It sounds like you did not select that you had an SSL certificate for
your server when you ran the installer, so the configuration is attempting
to use http: instead of SSL.

Re-run the installer specifying that you have an SSL cert, and that
you want to use port 80 and 443 and specify the hostname that users can use
to contact your server.

You should then be able to simply use that WAR file and not change
anything manually.

On Tue, Aug 25, 2015 at 12:38 PM, colind...@gmail.com wrote:

To follow up on this. We have made progress (I am working with Armin
on this).

We have changed the settings in the ODKAggregate-settings.jar, setting

security.server.port=80

security.server.securePort=443

This change has allowed us to successfully change passwords, but only
over http. That is, if logged in to Aggregate on https, changing a pw in
the Admin tab will prompt an alert:

JSON change-password request to
http://epione.lmbutler.net/DisclosureR01/ssl/user-manage-passwords failed.

Looking in the console, we can see:

Mixed Content: The page at '
https://epione.lmbutler.net/DisclosureR01/Aggregate.html' was loaded over
HTTPS, but requested an insecure script '
http://epione.lmbutler.net/DisclosureR01/ssl/user-manage-passwords?user…=colinm&digestAuthHash=6505d484f7124e905fb8bf8128e3324e&callback=callback0'.
This request has been blocked; the content must be served over HTTPS.

Running over http allows password changes just fine (which makes
sense, given the above).

Any thoughts on how to get password changes over HTTPS, or other
directions we might look?

Thanks

On Tuesday, August 25, 2015 at 2:26:21 PM UTC-4, mack...@gmail.com wrote:

Hello,

We are having trouble getting ODK to work nicely behind a nginx
proxy. The problem we see is that the user can call the ODK instance via
https, but when we try to change the password, the interaction fails since
the JSON call is directed via http to port 8080 (screenshot
https://www.dropbox.com/s/9pvugby2o89r27k/Screenshot%202015-08-25%2014.19.37.png?dl=0).
Tomcat runs on 8080 but the port is closed via a firewall.

So here is what we would like to achieve:

nginx is the proxy and handles SSL encryption

Tomcat and ODK know that they are behind a proxy and play nice.

How can I achieve this? I have tried the installer with and without
SSL, changing ports from 8080 to 80 (8443 to 443) but either I get too many
redirect warnings in the browser or the page loads but password resets go
to 8080 or 8443 and that doesn't work (ports blocked).

What is the correct answer in the installer to generate a war file
that plays well behind a proxy?

How do I change server.xml of Tomcat to support this correctly?

Here is my server.xml connector:

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="300000"
           URIEncoding="UTF-8"
           maxPostSize="16777216"
           redirectPort="8443"
           scheme="https"
           proxyPort="443"
     />
nginx setting:

location / {
            proxy_set_header X_Forwarded_Proto https;
            proxy_set_header  X-Forwarded-For
$proxy_add_x_forwarded_for;
            proxy_set_header  Host $host;
            proxy_set_header  X-Url-Scheme $scheme;
            proxy_redirect    off;
            proxy_max_temp_file_size 0;
            proxy_pass http://127.0.0.1:8080/;
            proxy_read_timeout 60;
    }
Any thoughts on what I could try to further trouble shoot? Right now
I am able to login via a HTTPS connection but when I attempt to change a
user password it fails since the request is a HTTP request on port 8080.

Armin

--

--

Post: opend...@googlegroups.com

Unsubscribe: opendatakit...@googlegroups.com

Options: http://groups.google.com/group/opendatakit?hl=en

You received this message because you are subscribed to the Google
Groups "ODK Community" group.

To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Mitch Sundt

Software Engineer

University of Washington

mitche...@gmail.com

--

--

Post: opend...@googlegroups.com

Unsubscribe: opendatakit...@googlegroups.com

Options: http://groups.google.com/group/opendatakit?hl=en

You received this message because you are subscribed to the Google
Groups "ODK Community" group.

To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Mitch Sundt
Software Engineer
University of Washington
mitche...@gmail.com
--

Post: opendatakit@googlegroups.com
Unsubscribe: opendatakit+unsubscribe@googlegroups.com
Options: http://groups.google.com/group/opendatakit?hl=en

You received this message because you are subscribed to the Google Groups
"ODK Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Mitch Sundt
Software Engineer
University of Washington
mitchellsundt@gmail.com

Luciano_Blasetti · June 14, 2016, 12:32pm

Hi Armin,
Did you manage to solve the loops with the nginx/odk with using the https reverse proxy? I'm facing the same issue and I don't know how to fix it.
Many thanks in advance,
Luciano

···

On Wednesday, 26 August 2015 22:41:21 UTC+2, mack...@gmail.com wrote: > Hi Mitch, > > I do specify the hostname in the installer. I ran the installer twice. One time I said no SSL with port 80 only. The second time I said SSL with port 80 and 443. > > I deployed both war files and the instance with port 80 only runs the one with port 443 has a redirect loop. > > Any Tomcat or nginx settings that I should check or post here to look at? > > Armin > > > > On Wednesday, August 26, 2015 at 4:24:46 PM UTC-4, Mitch Sundt wrote: > > In the installer, you should specify the hostname and ports that are used publicly by your clients. > > > > > > I.e., if you are behind a load balancer, you would specify the hostname or IP address of the load balancer. > > > > > > Perhaps you didn't specify the hostname that nginx is using? > > > > > > Because the export to CSV and publishers generate fully-qualified links (URLs) to binary content inside their generated documents, they need to be able to reconstruct the full public URL to the server. On Tomcat, these long-lived actions run in a background Executor that doesn't have access to a ServletContext and therefore cannot determine the server URL without a static configuration value. Similarly, when changing passwords, the javascript construct the full public URL to the change-password servlet (this was to support a cross-site call when the main access was using http:// and the secure access was using https:// -- the installer doesn't provide this option, though via manual configuration you can configure that). > > > > > > The questions during the installer gather this information. > > > > > > I suspect the IP address or hostname is messed up. > > > > > > > > > > On Wed, Aug 26, 2015 at 12:46 PM, wrote: > > Hi Mitch, > > > > > > > > Thanks for your answer. Yes we generated the war file with your installer and yes I answered no to the SSL certificate since I don't use the cert in Tomcat but in nginx. > > > > > > > > We just did what you suggested and unfortunately it doesn't work. We get a warning: > > > > > > > > "The webpage has a redirect loop" > > > > > > > > Is there a comprehensive documentation of the options in the installer that I have missed? Would be really good to know what each answer means and how it will behave. > > > > > > > > Our interest is in how to run ODK behind a reverse nginx proxy and therefore I wonder about the ports 80 and 443 since these are not the actual ports that Tomcat runs on. We run Tomcat on 8080 and proxy 80 and 443 to that port. > > > > > > > > Do we need to active another connector in Tomcat to get port 8443 working and proxy 443 traffic there? > > > > > > > > Thanks for any suggestion to solve this problem. > > > > > > > > Armin > > > > > > > > > > > > > > > > On Wednesday, August 26, 2015 at 2:03:22 PM UTC-4, Mitch Sundt wrote: > > > > > Did you use the ODK Aggregate installer to generate your WAR file? > > > > > > > > > > > > > > > It sounds like you did not select that you had an SSL certificate for your server when you ran the installer, so the configuration is attempting to use http: instead of SSL. > > > > > > > > > > > > > > > Re-run the installer specifying that you have an SSL cert, and that you want to use port 80 and 443 and specify the hostname that users can use to contact your server. > > > > > > > > > > > > > > > You should then be able to simply use that WAR file and not change anything manually. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Tue, Aug 25, 2015 at 12:38 PM, wrote: > > > > > To follow up on this. We have made progress (I am working with Armin on this). > > > > > > > > > > > > > > > > > > > > We have changed the settings in the ODKAggregate-settings.jar, setting > > > > > > > > > > security.server.port=80 > > > > > > > > > > security.server.securePort=443 > > > > > > > > > > > > > > > > > > > > This change has allowed us to successfully change passwords, but *only over http*. That is, if logged in to Aggregate on https, changing a pw in the Admin tab will prompt an alert: > > > > > > > > > > JSON change-password request to http://epione.lmbutler.net/DisclosureR01/ssl/user-manage-passwords failed. > > > > > > > > > > > > > > > > > > > > Looking in the console, we can see: > > > > > > > > > > Mixed Content: The page at 'https://epione.lmbutler.net/DisclosureR01/Aggregate.html' was loaded over HTTPS, but requested an insecure script 'http://epione.lmbutler.net/DisclosureR01/ssl/user-manage-passwords?user…=colinm&digestAuthHash=6505d484f7124e905fb8bf8128e3324e&callback=callback0'. This request has been blocked; the content must be served over HTTPS. > > > > > > > > > > > > > > > > > > > > Running over http allows password changes just fine (which makes sense, given the above). > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any thoughts on how to get password changes over HTTPS, or other directions we might look? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Tuesday, August 25, 2015 at 2:26:21 PM UTC-4, mack...@gmail.com wrote: > > > > > > > > > > > Hello, > > > > > > > > > > > > > > > > > > > > > > We are having trouble getting ODK to work nicely behind a nginx proxy. The problem we see is that the user can call the ODK instance via https, but when we try to change the password, the interaction fails since the JSON call is directed via http to port 8080 (screenshot https://www.dropbox.com/s/9pvugby2o89r27k/Screenshot%202015-08-25%2014.19.37.png?dl=0). Tomcat runs on 8080 but the port is closed via a firewall. > > > > > > > > > > > > > > > > > > > > > > So here is what we would like to achieve: > > > > > > > > > > > > > > > > > > > > > > - nginx is the proxy and handles SSL encryption > > > > > > > > > > > - Tomcat and ODK know that they are behind a proxy and play nice. > > > > > > > > > > > > > > > > > > > > > > How can I achieve this? I have tried the installer with and without SSL, changing ports from 8080 to 80 (8443 to 443) but either I get too many redirect warnings in the browser or the page loads but password resets go to 8080 or 8443 and that doesn't work (ports blocked). > > > > > > > > > > > > > > > > > > > > > > What is the correct answer in the installer to generate a war file that plays well behind a proxy? > > > > > > > > > > > > > > > > > > > > > > How do I change server.xml of Tomcat to support this correctly? > > > > > > > > > > > > > > > > > > > > > > Here is my server.xml connector: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > connectionTimeout="300000" > > > > > > > > > > > URIEncoding="UTF-8" > > > > > > > > > > > maxPostSize="16777216" > > > > > > > > > > > redirectPort="8443" > > > > > > > > > > > scheme="https" > > > > > > > > > > > proxyPort="443" > > > > > > > > > > > /> > > > > > > > > > > > > > > > > > > > > > > nginx setting: > > > > > > > > > > > > > > > > > > > > > > location / { > > > > > > > > > > > proxy_set_header X_Forwarded_Proto https; > > > > > > > > > > > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > > > > > > > > > > > proxy_set_header Host $host; > > > > > > > > > > > proxy_set_header X-Url-Scheme $scheme; > > > > > > > > > > > proxy_redirect off; > > > > > > > > > > > proxy_max_temp_file_size 0; > > > > > > > > > > > proxy_pass http://127.0.0.1:8080/; > > > > > > > > > > > proxy_read_timeout 60; > > > > > > > > > > > } > > > > > > > > > > > > > > > > > > > > > > Any thoughts on what I could try to further trouble shoot? Right now I am able to login via a HTTPS connection but when I attempt to change a user password it fails since the request is a HTTP request on port 8080. > > > > > > > > > > > > > > > > > > > > > > Armin > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > -- > > > > > > > > > > Post: opend...@googlegroups.com > > > > > > > > > > Unsubscribe: opendatakit...@googlegroups.com > > > > > > > > > > Options: http://groups.google.com/group/opendatakit?hl=en > > > > > > > > > > > > > > > > > > > > --- > > > > > > > > > > You received this message because you are subscribed to the Google Groups "ODK Community" group. > > > > > > > > > > To unsubscribe from this group and stop receiving emails from it, send an email to opendatakit...@googlegroups.com. > > > > > > > > > > For more options, visit https://groups.google.com/d/optout. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > Mitch Sundt > > > > > Software Engineer > > > > > University of Washington > > > > > mitche...@gmail.com > > > > > > > > > > > > -- > > > > -- > > > > Post: opend...@googlegroups.com > > > > Unsubscribe: opendatakit...@googlegroups.com > > > > Options: http://groups.google.com/group/opendatakit?hl=en > > > > > > > > --- > > > > You received this message because you are subscribed to the Google Groups "ODK Community" group. > > > > To unsubscribe from this group and stop receiving emails from it, send an email to opendatakit...@googlegroups.com. > > > > For more options, visit https://groups.google.com/d/optout. > > > > > > > > > > > > -- > > > > Mitch Sundt > > Software Engineer > > University of Washington > > mitche...@gmail.com

Augusto · July 19, 2016, 3:24am

Hi Luciano.

This is probably not the best solution, but I managed to get it working
using sub_filter (ngx_http_sub_module).
Here is my nginx config:

server {
listen 80;

    listen 443 ssl;
    server_name mydomain.xyz;
    ssl_protocols TLSv1.2;
    ssl_ciphers

EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers On;
ssl_certificate /etc/letsencrypt/live/mydomain.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.xyz/privkey.pem;
ssl_trusted_certificate
/etc/letsencrypt/live/mydomain.xyz/chain.pem;
add_header Strict-Transport-Security "max-age=31557600;
includeSubDomains";
ssl_stapling on;
ssl_stapling_verify on;
# Your favorite resolver may be used instead of the Google one below
resolver 8.8.8.8;

    location / {
            if ($scheme = http) {
                return 301 https://$server_name$request_uri;
            }

            proxy_set_header X_Forwarded_Proto https;
            proxy_set_header  X-Forwarded-For

$proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Url-Scheme $scheme;

           proxy_set_header Accept-Encoding ""; # Disable gzip.

Needed by sub_filter below*
proxy_pass http://127.0.0.1:8080;

            # Replace URLs for downloading exported files and reseting

user password

          sub_filter "http://mydomain.xyz:8080"

"https://mydomain.xyz"; sub_filter_types *;
sub_filter_once off; *

            port_in_redirect off;
            proxy_connect_timeout 90;
            proxy_redirect http://127.0.01:8080/ /;
    }

}

···

Em terça-feira, 14 de junho de 2016 14:26:58 UTC-3, luciano....@gmail.com escreveu: > > Hi Armin, > Did you manage to solve the loops with the nginx/odk with using the https > reverse proxy? I'm facing the same issue and I don't know how to fix it. > Many thanks in advance, > Luciano > > On Wednesday, 26 August 2015 22:41:21 UTC+2, mack...@gmail.com wrote: > > Hi Mitch, > > > > I do specify the hostname in the installer. I ran the installer twice. > One time I said no SSL with port 80 only. The second time I said SSL with > port 80 and 443. > > > > I deployed both war files and the instance with port 80 only runs the > one with port 443 has a redirect loop. > > > > Any Tomcat or nginx settings that I should check or post here to look > at? > > > > Armin > > > > > > > > On Wednesday, August 26, 2015 at 4:24:46 PM UTC-4, Mitch Sundt wrote: > > > In the installer, you should specify the hostname and ports that are > used publicly by your clients. > > > > > > > > > I.e., if you are behind a load balancer, you would specify the > hostname or IP address of the load balancer. > > > > > > > > > Perhaps you didn't specify the hostname that nginx is using? > > > > > > > > > Because the export to CSV and publishers generate fully-qualified > links (URLs) to binary content inside their generated documents, they need > to be able to reconstruct the full public URL to the server. On Tomcat, > these long-lived actions run in a background Executor that doesn't have > access to a ServletContext and therefore cannot determine the server URL > without a static configuration value. Similarly, when changing passwords, > the javascript construct the full public URL to the change-password servlet > (this was to support a cross-site call when the main access was using > http:// and the secure access was using https:// -- the installer doesn't > provide this option, though via manual configuration you can configure > that). > > > > > > > > > The questions during the installer gather this information. > > > > > > > > > I suspect the IP address or hostname is messed up. > > > > > > > > > > > > > > > On Wed, Aug 26, 2015 at 12:46 PM, wrote: > > > Hi Mitch, > > > > > > > > > > > > Thanks for your answer. Yes we generated the war file with your > installer and yes I answered no to the SSL certificate since I don't use > the cert in Tomcat but in nginx. > > > > > > > > > > > > We just did what you suggested and unfortunately it doesn't work. We > get a warning: > > > > > > > > > > > > "The webpage has a redirect loop" > > > > > > > > > > > > Is there a comprehensive documentation of the options in the installer > that I have missed? Would be really good to know what each answer means and > how it will behave. > > > > > > > > > > > > Our interest is in how to run ODK behind a reverse nginx proxy and > therefore I wonder about the ports 80 and 443 since these are not the > actual ports that Tomcat runs on. We run Tomcat on 8080 and proxy 80 and > 443 to that port. > > > > > > > > > > > > Do we need to active another connector in Tomcat to get port 8443 > working and proxy 443 traffic there? > > > > > > > > > > > > Thanks for any suggestion to solve this problem. > > > > > > > > > > > > Armin > > > > > > > > > > > > > > > > > > > > > > > > On Wednesday, August 26, 2015 at 2:03:22 PM UTC-4, Mitch Sundt wrote: > > > > > > > Did you use the ODK Aggregate installer to generate your WAR file? > > > > > > > > > > > > > > > > > > > > > It sounds like you did not select that you had an SSL certificate > for your server when you ran the installer, so the configuration is > attempting to use http: instead of SSL. > > > > > > > > > > > > > > > > > > > > > Re-run the installer specifying that you have an SSL cert, and that > you want to use port 80 and 443 and specify the hostname that users can use > to contact your server. > > > > > > > > > > > > > > > > > > > > > You should then be able to simply use that WAR file and not change > anything manually. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Tue, Aug 25, 2015 at 12:38 PM, wrote: > > > > > > > To follow up on this. We have made progress (I am working with Armin > on this). > > > > > > > > > > > > > > > > > > > > > > > > > > > > We have changed the settings in the ODKAggregate-settings.jar, > setting > > > > > > > > > > > > > > security.server.port=80 > > > > > > > > > > > > > > security.server.securePort=443 > > > > > > > > > > > > > > > > > > > > > > > > > > > > This change has allowed us to successfully change passwords, but > *only over http*. That is, if logged in to Aggregate on https, changing a > pw in the Admin tab will prompt an alert: > > > > > > > > > > > > > > JSON change-password request to > http://epione.lmbutler.net/DisclosureR01/ssl/user-manage-passwords > failed. > > > > > > > > > > > > > > > > > > > > > > > > > > > > Looking in the console, we can see: > > > > > > > > > > > > > > Mixed Content: The page at ' > https://epione.lmbutler.net/DisclosureR01/Aggregate.html' was loaded over > HTTPS, but requested an insecure script ' > http://epione.lmbutler.net/DisclosureR01/ssl/user-manage-passwords?user…=colinm&digestAuthHash=6505d484f7124e905fb8bf8128e3324e&callback=callback0'. > This request has been blocked; the content must be served over HTTPS. > > > > > > > > > > > > > > > > > > > > > > > > > > > > Running over http allows password changes just fine (which makes > sense, given the above). > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any thoughts on how to get password changes over HTTPS, or other > directions we might look? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Tuesday, August 25, 2015 at 2:26:21 PM UTC-4, mack...@gmail.com wrote: > > > > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > We are having trouble getting ODK to work nicely behind a nginx > proxy. The problem we see is that the user can call the ODK instance via > https, but when we try to change the password, the interaction fails since > the JSON call is directed via http to port 8080 (screenshot > https://www.dropbox.com/s/9pvugby2o89r27k/Screenshot%202015-08-25%2014.19.37.png?dl=0). > Tomcat runs on 8080 but the port is closed via a firewall. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > So here is what we would like to achieve: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > - nginx is the proxy and handles SSL encryption > > > > > > > > > > > > > > > - Tomcat and ODK know that they are behind a proxy and play nice. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > How can I achieve this? I have tried the installer with and > without SSL, changing ports from 8080 to 80 (8443 to 443) but either I get > too many redirect warnings in the browser or the page loads but password > resets go to 8080 or 8443 and that doesn't work (ports blocked). > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > What is the correct answer in the installer to generate a war file > that plays well behind a proxy? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > How do I change server.xml of Tomcat to support this correctly? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Here is my server.xml connector: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > connectionTimeout="300000" > > > > > > > > > > > > > > > URIEncoding="UTF-8" > > > > > > > > > > > > > > > maxPostSize="16777216" > > > > > > > > > > > > > > > redirectPort="8443" > > > > > > > > > > > > > > > scheme="https" > > > > > > > > > > > > > > > proxyPort="443" > > > > > > > > > > > > > > > /> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > nginx setting: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > location / { > > > > > > > > > > > > > > > proxy_set_header X_Forwarded_Proto https; > > > > > > > > > > > > > > > proxy_set_header X-Forwarded-For > $proxy_add_x_forwarded_for; > > > > > > > > > > > > > > > proxy_set_header Host $host; > > > > > > > > > > > > > > > proxy_set_header X-Url-Scheme $scheme; > > > > > > > > > > > > > > > proxy_redirect off; > > > > > > > > > > > > > > > proxy_max_temp_file_size 0; > > > > > > > > > > > > > > > proxy_pass http://127.0.0.1:8080/; > > > > > > > > > > > > > > > proxy_read_timeout 60; > > > > > > > > > > > > > > > } > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any thoughts on what I could try to further trouble shoot? Right > now I am able to login via a HTTPS connection but when I attempt to change > a user password it fails since the request is a HTTP request on port 8080. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Armin > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > Post: opend...@googlegroups.com > > > > > > > > > > > > > > Unsubscribe: opendatakit...@googlegroups.com > > > > > > > > > > > > > > Options: http://groups.google.com/group/opendatakit?hl=en > > > > > > > > > > > > > > > > > > > > > > > > > > > > --- > > > > > > > > > > > > > > You received this message because you are subscribed to the Google > Groups "ODK Community" group. > > > > > > > > > > > > > > To unsubscribe from this group and stop receiving emails from it, > send an email to opendatakit...@googlegroups.com. > > > > > > > > > > > > > > For more options, visit https://groups.google.com/d/optout. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > Mitch Sundt > > > > > > > Software Engineer > > > > > > > University of Washington > > > > > > > mitche...@gmail.com > > > > > > > > > > > > > > > > > > -- > > > > > > -- > > > > > > Post: opend...@googlegroups.com > > > > > > Unsubscribe: opendatakit...@googlegroups.com > > > > > > Options: http://groups.google.com/group/opendatakit?hl=en > > > > > > > > > > > > --- > > > > > > You received this message because you are subscribed to the Google > Groups "ODK Community" group. > > > > > > To unsubscribe from this group and stop receiving emails from it, send > an email to opendatakit...@googlegroups.com. > > > > > > For more options, visit https://groups.google.com/d/optout. > > > > > > > > > > > > > > > > > > -- > > > > > > Mitch Sundt > > > Software Engineer > > > University of Washington > > > mitche...@gmail.com > >

Sadiq_Khoja · March 25, 2018, 12:18pm

For it worked nicely (may be issue has been fixed in ODK Aggregate v1.4.15 linux-x64-installer)

Here is my nginx.conf

server {
    listen 80;
    server_name www.example.tk;

    location / {
        proxy_pass  http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

server {
    listen       80;
    server_name  example.tk;
    return       301 http://www.example.tk$request_uri;
}

Another thing that I did, change the following properties in ODKAggregate-settings.jar::security.properties

security.server.hostname=
security.server.port=80

hostname is blank which makes discoverable IP and port is 80 which is the port of nginx (tomcat's port is 8080)

Sadiq_Khoja · March 29, 2018, 11:55am

I have now enabled SSL on nginx, most of the functions are working correctly. However /formList is returning http instead of https in path of forms.

changing channelType to REQUIRES_SECURE_CHANNEL starts redirecting ODK to port 8443 where nobody is listening.

So as it stands, ODK Collect can download form from the Aggregate but can't submit them