IdP redirect URI and reverse proxy with SSL offloading

When an Ignition gateway is behind a reverse proxy, usually (not all the time) the communication between the proxy server and the Ignition gateway is done over HTTP because the reverse proxy can perform SSL offloading. The problem is that when using an IdP such as AWS Cognito, the redirect URI should be https (as non SSL is not allowed). But, Ignition is issuing the redirect URI depending on how you arrived at the gateway. If you used port 8088, you’ll get an http URI. If you used port 8043, you’ll get the appropriate https URI.
I have tried multiple settings between Ignition Web Server settings and the reverse proxy (in my case I am using Caddy) and can’t get all 3 components to work nicely. If I try to Force Secure Redirect on Ignition, then Caddy gets an error 502 back and can’t load the page.
Can anyone shed some light on this? Or is there a way to force Ignition to always use HTTPS as the callback URI?

Anyone seen this before? How is everyone else setting up their gateways behind a reverse proxy? Are you changing the gateway ports to 80/443? Do you force SSL redirect? Did you install the certificate on both the gateway and on your reverse proxy? Is this working with your IdP?

Did you ever get your Caddy config working? I’m using Caddy for SSL offloading and accessing Ignition on 8088 however my redirects are also HTTP.

We’re going to be adding a feature to Ignition soon which will make it “proxy-aware”. This feature will allow Ignition to be able to understand headers such as “Forwarded” or “X-Forwarded-Proto” which your reverse proxy can set in order to tell Ignition that the protocol the client used to connect to the proxy is https and should be treated as a secure https connection.

In the meantime, you’ll likely need to enable SSL on both connections (client → proxy and proxy → ignition). Or you will have to do some kind of URL rewriting on your proxy any time it sees the redirect_uri param in the Location header’s URL on a redirect response pointing to your IdP.

Additionally, what versions are you attempting to use? The Designer Launcher in 8.1.7 now goes directly to /StatusPing for checking the connection where it previously hit /main/StatusPing and the redirect from the gateway tried to redirect to HTTP and was thusly rejected due to downgrade. See this thread for reference: Hard coded request for HTTP in Designer Launcher even if gateway set up for HTTPS - #11 by kcollins1

The feature @jspecht references will definitely help smooth the experience out and address some of the other issues (related to client IP reporting).

I put this is the Caddy file:
header_down Location http:// https://

Seemed to do the trick.

1 Like

I’ll try this out. I left SSL enabled on Ignition as I needed to get this “Live” quickly. So in essence, I am not doing any SSL offloading, just using the reverse proxy as a landing server for different subdomain names and point back to the appropriate project on Ignition.

The latest 8.1.9 early access build includes a new setting to opt-into making Ignition reverse-proxy-aware. The user manual still need to catch up, but for now, you can refer to Jetty’s ForwardedRequestCustomizer’s javadoc page for which headers Ignition respects. For additional detail, see: Nightly 8.1 Changelogs - 2021 - #128 by sreis