Can someone describe in detail what the purpose of these two additional settings are at the bottom of the Web Server config page compared to the original top ones? Is this actually allowing 8088/8043 for Gateway access and 80/443 for Perspective (and possibly Vision) access?
For what it is worth, I disabled Auto Detect HTTP Address as I will be placing Gateway in publicly accessible address (www.exampleurl.com)
I went ahead and tried setting 80 and 443, but my Perspective site doesn’t come up on those ports.
The first two port settings are the ports that will actually be bound to on the server.
The last two port settings are for if you’re accessing Ignition by a different port than bound to, which is very common if Ignition is publicly accessible and sitting behind a reverse proxy or port forwarding is being used. A common setup is to have Ignition bound to 8088 and 8443 but reachable at standard 80 and 443. Even more common on Linux, where root privileges are required to bind to ports under 1024.
Ok great. I do plan on having a reverse proxy in front of the gateway on port 80/443, perform url rewrites to condense the long /data/perspective/client/project path for the user, and to prevent external access to gateway pages by blocking /web/config paths, and also have that reverse proxy perform SSL offloading. I wonder if I need to still have the SSL certificate on the gateway as well for that.
So, what is Ignition doing with those last two port settings? Because the reverse proxy will be translating the requests…what does the gateway care?
There are a number of places where the gateway needs to be able to build the right URL to itself and needs to know what ports it will be accessed on.
I do not quite understand the the docs too.
When I set:
HTTP port = 80
HTTPS port = 443
Auto Detect HTTP Address = enabled
I can access both gateway page and perspective projects through:
[mydomain].com/web/home
[mydomain].com/data/perspective/client/[myproject]
When I set:
HTTP port = 8088
HTTPS port = 8043
Auto Detect HTTP Address = disabled
Public Address = [mydomain].com
Public HTTP port = 80
Public HTTPS port = 443
I cannot access both gateway page and perspective projects through:
[mydomain].com:8088/web/home
[mydomain].com/data/perspective/client/[myproject]
Am I missing anything here? Could anyone guide me on the config? Thanks.
Setting different public ports is for when you have a reverse proxy or some other port forwarding mechanism in place. Otherwise you still need to access Ignition via the actual HTTP/S ports it is bound to.
Hi Kevin,
I take your point on setting those ports when behind a reverse proxy. However, I’ve been able to use a reverse proxy without actually entering values there. I haven’t run into issues (yet).
I was particularly interested in the public HTTP address. I’m trying to host the gateway behind a reverse proxy like this: http://mydomain.com/ignition but cannot get this to work, even when i put ‘mydomain.com/ignition’ in the public http address - I would have thought that to be the purpose of this setting.
Could you elaborate where the public http address is actually used?
Regards
Hi Drojas,
I saw you’ve been playing around with Caddy - I suppose you’ve seen this tutorial: Using a Reverse Proxy with Ignition 8 on Windows – Industry Thing ?
Were you ever able to condense the perspective paths like you say above? I’m keen to do this too but no success so far. Simply rewriting paths doesn’t seem to work.
I’m using Traefik as reverse proxy.
Koen
Koen,
Yes, of course…the tutorial was written by a good friend @accyroy. I ended up not modifying the project path as there were other things behind the scenes that needs a portion of the path…things like report PDF files and other resources.
Here is an example section of the caddyfile
mydomain.com {
tls ./.certs/mydomaincert.crt ./.certs/mydomaincert.key
route { #use route to perform redirect before reverse_proxy
redir / /data/perspective/client/myPerspectiveProject/ permanent #redirect anyone landing on the root directory
#rewrite no longer works..causes error on Ignition
#rewrite / /data/perspective/client/myPerspectiveProject/
reverse_proxy https://192.168.0.1:8043 { #use your IP address of Ignition Gateway
import theheaders
transport http {
tls
tls_insecure_skip_verify #if you are using a self-signed cert on the gateway
}
@error status 403 404
handle_response @error {
respond /* 404 #returns basic 404 error page
}
}
}
log {
output file c:/Caddy/mylogfile.log #update to wherever you want the log file
}
import webconf
}
Thank you Drojas.
After a bit of trial and error with Regular Expressions, I was able to create a redirect in Traefik as well. I go from http://xxxx.mydomain/ignition/otherstuff to http://ignition.mydomain/otherstuff by using a redirect rule like this in the TOML file:
[http.middlewares.ignition-redirect.redirectRegex]
regex ="^https://xxx.mydomain/ignition(.*)"
replacement = "https://ignition.mydomain${1}"
it only works if you make sure you finish your url with a slash for some reason (eg. http://xxx.mydomain/ignition/ which takes me to the gateway home page on http://ignition.mydomain/web/home
So yeah - a redirect works, but my question was more about the idea of shortening paths, which is not what the redirect does. For that I was hoping someone would have experience with a path replacement statement. I tried a few things but it doesn't seem to really work - in line with your suggestion that 'rewrite' doesn't work. 