Load Balancer SSL issues

Our customer has set up a load balancer between a Perspective gateway in an IDMZ and their corporate network. The LB receives traffic on 443 and forwards to the gateway at port 8088.

Projects that do not have security enabled work just fine. However, if I want to access the web server to manage the gateway or the project has permissions set up I get an "Unable to connect" error in the browser. It appears I am being forwarded to a new page by the gateway with a protocol of htp:// instead of keeping it https://. If I edit the protocol in the URL to https:// it works.

For example, if I enter https://ig.acme.com I get forwarded to https://ig.acme.com/web/home?0 and I see the Get Started page. If I click Status I am forwarded to http://ig.acme.com/web/status/?1 and I get the error. Editing the URL and changing the protocol to https:// displays the status page.

The reason I think I am being forwarded is hovering over a link does not display the ?1. It appears since I do not have SSL enabled for the gateway it is assuming http:// and creating the entire URL.

Thanks and I hope you get the Acme reference, your one source for all road running capturing devices.

The Gateway might not be aware that it is sitting behind a load balancer which is offloading TLS for you. If that's the case, the Gateway sees the Load Balancer as the HTTP client on the other end and considers the connection to be "insecure" (cleartext http over port 8088). Therefore, any redirect URLs created by the Gateway will be generated using the http:// prefix.

Take a look at the Use Proxy Forwarded Headers setting introduced in 8.1.10: Web Server Settings - Ignition User Manual 8.1 - Ignition Documentation

Assuming your Load Balancer applies standard Forwarded or X-Forwarded-* headers to all requests forwarded to the Gateway, enabling this setting will make the Gateway "aware" that it is sitting behind a load balancer and will create redirect URLs appropriately in this context.

1 Like

That was it. Thanks. Adding X-Forwarded-For helped as well for tracking down who is using what.