Perspective login redirect loop

Ignition
1

This is with 8.0.16. I have a perspective UI behind a reverse proxy and I can access the gateway web page, log in, and interact with it but when I try to load a perspective session it gets through the login form then goes into a loop loading the different components and finally drops me back at the login page. The same credentials work with the same project when connecting directly to the gateway.

The gateway web server config is set up with the hostname and port that the external proxy are accessed with for the public address and port. The reverse proxy (nginx) config is as follows:

server {
listen 443 ssl;
server_name scada-hmi-external.domain.redacted;
set $backend β€œhttps://scada-hmi-internal.domain.redacted:8043”;
location / {
proxy_pass $backend;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host scada-hmi-external.domain.redacted;
client_max_body_size 10m;
proxy_read_timeout 900;
}
…
(ssl and other auth setup omitted)

Any ideas what might be wrong? I am stumped. Watching it try to load in the browser inspector seems to point to something wrong with the built in identity provider but I don’t see an obvious cause.

2

Are there any seemingly related errors in the gateway or browser logs? If not, try setting these gateway loggers to debug level and reproduce the issue again (and let me know if there are any new errors logged):

gateway.IdpAdapter
gateway.UserAttributeMapper
gateway.ExpressionSecurityLevelPolicy
gateway.WebAuthSessionImpl

Could you also tell me more about your setup:

  1. Is your reverse proxy performing TLS termination?
  2. Is your reverse proxy connecting to the backend gateway over TLS?
  3. What kind of IdP is involved? Internal Ignition IdP, OIDC, or SAML?
  4. Which web browser and version are you using? Which OS and version is your web browser running on?
3

@jspecht we found the problem: the reverse proxy was not upgrading the web socket connection to HTTP, we needed to add the following to our nginx config for it to work:

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
2 Likes