Nginx and jetty

We use nginx as reverse proxy in front of our Ignition gateway. This has two reasons:

  • We want to use port 80 respectively 443 to access Ignition.
  • We want to run the Ignition gateway not as root user but instead with a normal user (better security) on our linux host. This is not possible with port 80 or 443.

Our current nginx configuration (for port 80) looks like the following:

upstream ignition_http {
        keepalive 20;
        server 127.0.0.1:8088;
}

server {
        listen 80;
        root /var/www/html;

        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {

                proxy_http_version 1.1;
                proxy_cache_bypass $http_upgrade;

                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "Upgrade";
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-Port $server_port;

                proxy_pass http://ignition_http;

        }
}

The configuration works fine and if I start a vision client or a designer it communicates without any errors with the Ignition server.

The problem is, that requests from remote clients are shown on the gateway as local requests.

As you can see on the image above, the jetty webserver of Ignition interprets the request as coming from localhost. This is because of the nginx reverse proxy configuration. Unfortunately jetty does not make use of the X-Forwarded http headers of nginx (see jetty configuration above).

Ignition security settings like Security Zones based on ip addresses will not work!

According to the following resources an option has to be set in the jetty server:

The option useForwardedForHeader has to be set to true.

How can I adjust the internal jetty configuration of Ignition?
I guess that the file /usr/local/bin/ignition/webserver/webdefault.xml is not the right config file, since this is only used to configure settings for jetty web applications but not the server itself.

Any help would be greatly appreciated.

We're going to be adding explicit support for this soon. I'm not sure there's anything you can do in Jetty config to make it work the way you want until then because even when the forwarded headers are in place Ignition won't be looking at them.

2 Likes

That sounds good. Looking forward seeing this implemented.

The latest 8.1.9 early access build includes a new feature to opt-into making Ignition reverse-proxy-aware. The user manual still need to catch up, but for now, you can refer to Jetty’s ForwardedRequestCustomizer’s javadoc page for which headers Ignition respects. For additional detail, see: Nightly 8.1 Changelogs - 2021 - #128 by sreis

1 Like

I can confirm that the new feature works as expected. The gateway shows now all vision clients with their real ip address and not anymore with 127.0.0.1 Thank you very much for fixing this issue so quickly.

2 Likes