Ignition behind an apache reverse proxy, issue with perspective views

Massimo_Forni · November 30, 2021, 4:23pm

Hello,

I wanted to protect my Igniton (8.1.12) installation behind a reverse proxy, done with apache.

I successfully configured apache to listen on ports 80 and 443 (with ssl offloading), on port 80 it redirects to the https url and on port 443 it proxy to the local 8043.
The web page functions correctly, I can see the status, make changes etc.

For the moment I have only one strange issue when I open the designer and create a view:

If I create a view under the “View” container everything works as expected
If I create a new folder and create a view under it all i get is no-project in the designer

By looking at the apache logs I see for

=> “GET /data/perspective/hello/Datacenter1/View HTTP/2.0” 200
=> “GET /data/perspective/hello/Datacenter1/App%2FView HTTP/2.0” 404

As you can see in the second URL the ‘/’ character has been URL-escaped so it is not recognized
Here the views:

You can replicate this even with a clean 8.1.11 or 8.1.12 installation without any configuration aparte the apache one.

My apache configuration only have basic reverse proxy settings and a custom rewrite rule to handle upgrading a websocket connection:

    RewriteEngine on
    RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
    RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
    RewriteRule .* wss://MY-FQDN:8043%{REQUEST_URI} [P]


    SSLProxyEngine On
    SSLProxyVerify none
    ProxyPass / https://MY-FQDN:8043/
    ProxyPassReverse / https://MY-FQDN:8043/

Any ideas?
My system integrator said contacted Inductive Automation but got no response after a week of openint the ticket

Thank you!

Best regards

PGriffith · November 30, 2021, 4:59pm

It seems like you’ve isolated the problem pretty specifically. There’s probably some additional configuration to pass to apache.

From a quick google, perhaps the [NE] flag on your ProxyPassReverse? RewriteRule Flags - Apache HTTP Server Version 2.4

Massimo_Forni · December 1, 2021, 5:23pm

Hi,

thanks for the reply.

I tried it but it does not change/resolve the issue

From what I see Apache currently have limited support for websocket reverse proxy.

I will try nginx next

Arturo_Garza · March 8, 2022, 1:45am

Hi!

Did you solve your problem? I have similar situation; I can view de home page and projects, but no project is ever launched… I think is some configuration of my revserse proxy.

It get stuck there:

This is my site config:

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName scada.yatia.net
        ServerAlias scada.yatia.net

        LogLevel error
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLProxyEngine On
        SSLEngine On
        SSLProxyVerify None
        SSLProxyCheckPeerCN Off
        SSLProxyCheckPeerName Off
        SSLProxyCheckPeerExpire Off
        SSLCertificateFile /etc/letsencrypt/live/yatia.net-0001/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/yatia.net-0001/privkey.pem
        

        ProxyPass               /       https://10.8.0.5:8043/  retry=0
        ProxyPassReverse        /       https://10.8.0.5:8043/
        RewriteEngine On
        RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
        RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
        RewriteRule .* wss://10.8.0.5:8043%{REQUEST_URI} [P]

</VirtualHost>
</IfModule>

Update:

I just enable proxy_wstunnel module and it works!!!

Massimo_Forni · March 8, 2022, 7:31am

In the end I used NGINX and it worked the first time

Her for the community my conf file, I hope this will be useful for others:

upstream ignition_http {
    keepalive 20;
    server 127.0.0.1:8088;
}
server {
    listen 80;
    return 301 https://$host$request_uri/;
}

server {
    listen 443 http2 ssl;
    listen [::]:443 http2 ssl;

    server_name YOUR_SERVER_FQDN;

    ssl_certificate PATH_TO_PUBLIC_CHAIN;
    ssl_certificate_key PATH_TO_PRIVATE_KEY;

    location / {

        proxy_http_version 1.1;
        proxy_cache_bypass $http_upgrade;

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Port $server_port;

        proxy_pass http://ignition_http;

    }
}

Koen · April 19, 2022, 3:24pm

I've managed to use Traefik without even having to add the special headers.

In dynamic TOML file:

[http]
[http.routers]
# ignition
[http.routers.ignition-secure]
rule = "Host(`ignition.example.com`)"
entryPoints = ["websecure"]
service = "ignition"
middlewares = ["ignition-replacepath-main"]
[http.routers.ignition-secure.tls]
certResolver = "lets-encrypt"
[http.routers.ignition]
rule = "Host(`ignition.example.com`)"
entryPoints = ["web"]
service = "ignition"
middlewares = ["https-redirectscheme"]

[http.services]
[http.services.ignition.loadbalancer]
[[http.services.ignition.loadbalancer.servers]]
url = "http://192.168.2.149:8088"

[http.middlewares]
# generic middlewares
[http.middlewares.https-redirectscheme.redirectScheme]
scheme = "https"
permanent = true
# ignition middlewares
[http.middlewares.ignition-replacepath-main.replacePathRegex]
regex = "^/main/StatusPing$$"
replacement = "/StatusPing"

Nick_Wardwell · June 27, 2022, 7:21pm

Hello,

I have a similar setup as Arturo_Garza in his above post. The reverse proxy is set up on Digital Ocean and it’s been working great with two Laravel web apps configured under their own subdomains. These Laravel apps also have websockets set up using socket.io on port 6001. No issues there.

I’m using Apache and OpenVPN docker containers. OpenVPN provides the routing to the apps behind the proxy. I have ports 80, 443, and 6001 exposed on the Apache container.

When I set up Ignition in a similar manner, I can access the dashboard, but Perspective projects get stuck on the loading screen. In the web console I get the following with an expand icon to the left:
GET wss://subdomain.FQDN.com/system/pws/samplequickstart/103fc65b?token=qEuXr2IuxxJxJJHiCYPVeNgIX4jRoVP0ukKrBjAE8Wo
When I expand the request I see that it’s returning an HTTP 405 (Method Not Allowed) response.

After that I get the following console error:
Firefox can’t establish a connection to the server at wss://subdomain.FQDN.com/system/pws/samplequickstart/103fc65b?token=DxqTL-0DoRP7l_um66ZpFj6LZJH6brxX97pqeSu2w9s.

Sometimes I also get the following console message:

store.Idle: Error sending client activity message: TypeError: this.webSocket is undefined

I’m running Ignition unsecured on port 80 and that is connected to the reverse proxy via an outbound OpenVPN connection. SSL is setup on the reverse proxy with Let’s Encrypt. This is the same way I have the two Laravel apps set up.

The Perspective projects work fine on the LAN. In the network tab I can see the websocket request that fails via reverse proxy with an HTTP status of 101 (Switching Protocols).

Apache config:

<VirtualHost *:80>
	ServerName subdomain.FQDN.com
	ServerAlias www.subdomain.FQDN.com
	ServerAdmin me@domain.com

	RequestHeader set X-Forwarded-Proto “https”

	<Location />
		Redirect / https://subdomain.FQDN.com/
	</Location>
</VirtualHost>

<IfModule mod_ssl.c>
	<VirtualHost *:443 *:6001>
		ServerName subdomain.FQDN.com
		ServerAlias www.subdomain.FQDN.com
		ServerAdmin me@domain.com

		DocumentRoot /usr/local/apache2/domain

		# I've also tried removing this block.  No difference.
      <Directory "/usr/local/apache2/domain">
			Order allow,deny
			AllowOverride All
			Allow from all
			Require all granted
		</Directory>

		LogLevel error
		ErrorLog logs/FQDN-subdomain-error.log
		CustomLog logs/FQDN-subdomain-access.log combined

		ProxyPreserveHost On

		SSLProxyEngine On
		SSLEngine On
		SSLProxyVerify None
		SSLProxyCheckPeerCN Off
		SSLProxyCheckPeerName Off
		SSLProxyCheckPeerExpire Off
		SSLCertificateFile /usr/local/apache2/conf/cert.pem
		SSLCertificateChainFile /usr/local/apache2/conf/server.crt
		SSLCertificateKeyFile /usr/local/apache2/conf/server.key


		ProxyPass 	/	http://10.253.0.11/ retry=0
		ProxyPassReverse 	/	http://10.253.0.11/

		RewriteEngine On

		RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
		RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
		RewriteRule .* wss://10.253.0.11%{REQUEST_URI} [P]

	</VirtualHost>
</IfModule>

proxy_wstunnel is enabled

Any help is greatly appreciated.

Update:
I figured it out. I needed to change the RewriteCond and RewriteRule to the following:

RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteRule .* ws://10.253.0.11%{REQUEST_URI} [P]

I’m guessing wss is for if you have SSL set up on the Ignition Gateway and ws is the unsecured protocol that goes over port 80. If it’s set to wss, it tries to do the protocol upgrade on port 443 on the Gateway, which isn’t set up and results in the http 403 response.