-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When using a reverse proxy for SSL termination, gold generates wrong resource URLs #41
Comments
Thanks for raising this issue. I'll look into it. |
After looking into it, I can say that everything works as expected, since "insercure" means running the server only over http. |
Yeah, it makes sense. Does it mean that I shouldn't ever use reverse proxies with gold and other similar implementations, if I want full functionality available to me? |
What does reverse proxying through nginx gives you that gold doesn't already? :) |
We want to package an LDP server with freedombox (http://freedomboxfoundation.org/ ). With freedombox, LDP server would be one of several HTTP servers running, so in order to share the SSL port, we have to use a reverse proxy. Otherwise, we have to put gold on a different port. Also, we'd have to copy the SSL cert in 2 places. Finally, see this thread read-write-web/rww-play#153 (comment) . Basically, it's not a MUST that gold works with a reverse proxy setup but it causes some inconvenience :) |
I see. So the only inconvenience at this point is WebID-TLS. Maybe WebID-RSA can help here, as it is already implemented in gold. |
Nice! I'll try it this week |
@reederz your nginx.conf is missing config that folks normally use to instruct nginx upstreams about the termination scheme:
gold already uses this header to calculate base URIs. Try http://wiki.nginx.org/SSL-Offloader or https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-load-balancing-with-ssl-termination for other common nginx SSL termination configurations. |
@presbrey thanks for this- the fix worked. |
Re "What does reverse proxying through nginx gives you that gold doesn't already? :)" I know it had a smiley, but I would add a philosophical requirement on anything like gold or ldnode: it must be able to operate as a subset of a smaller system. In node, you tend to get this with running express and invoking different packages on the same server, but with Apache and others you have to let people run their server of choice as the front end. So providing separate config parameters for its external URI space and internal ones is important. |
@reederz When you say "the fix worked", does that include WebID-TLS client-certs as well? |
I've been looking at HAProxy as a passthrough from port 443 to 8443 https://www.haproxy.com/doc/aloha/7.0/deployment_guides/tls_layouts.html#ssl-tls-passthrough My early testing indicates that ldnode will request a client certificate in pass through mode |
FYI: this is the config I used:
|
@sandhawke no, the fix only takes care of correct absolute url generation and it was enough in our case (though eventually, we ended up using pagekite, to route traffic). I haven't tried configuring NGINX to terminate WebID-TLS connections at gold level (which is what I think is needed, to make it work). |
Thanks @reederz . (Pagekite looks cool) |
I was able to WebID-TLS auth into gold running behind nginx proxy with stream ssl preread configuration. See this ServerFault answer |
Thanks @tomasklapka for pointing to the header-based solution. I will try to implement this in the Node.js server (nodeSolidServer/node-solid-server#519). |
Instead of exposing gold directly to the internet, I want to use NGINX to terminate my SSL connections. The problem is, that when I proxy requests to gold, it thinks that I requested a resource through HTTP and generates wrong resource URLs.
Command to start go server:
Nginx host:
Querying a resource (notice http instead of https in subjects):
The text was updated successfully, but these errors were encountered: