[Geoserver-devel] Layer Preview - OpenLayers does not work with a SSL Reverse Proxy

Hello!

I am currently using GeoServer 2.15.0 through a Tomcat running on port 8080.
To control which webapps are available on my various domains, I run a reverse proxy with Apache in front on port 80, using a normal ProxyPass & ProxyPassReverse

I also have SSL setup, so in short, my setup is like this:

https://example.com/geoserverhttp://example.com:8080/geoserver (I have substituted my real domain with an example)

I want to test my newest layer, so I go into Layer Preview → OpenLayers and it opens a URL like this:
https://example.com/geoserver/dof/wms?service=WMS&version=1.1.0&request=GetMap&layers=dof%3AREGIONER&bbox=441548.9689738757%2C6049494.406376901%2C893480.0854518213%2C6402159.588024116&width=768&height=599&srs=EPSG%3A23032&format=application/openlayers

However, this returns a white map!

In the console, I see the following (I’ve translated it but hopefully it still makes sense):
Blocked mixed content “http://example.com/geoserver/openlayers3/ol.css

Blocked mixed content “http://example.com/geoserver/openlayers3/ol.js

Blocked mixed content “http://example.com/geoserver/openlayers3/ol.css

Blocked mixed content “http://example.com/geoserver/openlayers3/ol.js

Loading failed for

From what I can find in the code, org/geoserver/wms/map/AbstractOpenLayersMapOutputFormat.java:134 uses this as the baseUrl for the template:
String baseUrl =
ResponseUtils.buildURL(request.getBaseUrl(), “/”, null, URLType.RESOURCE);

The code is a bit too complex for me to create a fix, since I am not sure what ramifications my changes might have, but my guess would be that for the AbstractOpenLayersMapOutputFormat, either the base proxy url from the GeoServer settings or all X-Forwarded type of headers should be considered.

Med venlig hilsen / With regards

ANDERS OLSEN
Software Developer
BirdLife Denmark

Hi Anders,

Maybe you can do a simple fix by defining “Proxy based URL”. Go to Settings → Global and set “Proxy based URL” to your domain, with or without the port. Test it.

Regards,

Jorge Gustavo

(attachments)

cropped-geomaster300x300-1.png

···

Às 20:19 de 11/03/19, Anders Olsen escreveu:

Hello!

I am currently using GeoServer 2.15.0 through a Tomcat running on port 8080.
To control which webapps are available on my various domains, I run a reverse proxy with Apache in front on port 80, using a normal ProxyPass & ProxyPassReverse

I also have SSL setup, so in short, my setup is like this:

https://example.com/geoserverhttp://example.com:8080/geoserver (I have substituted my real domain with an example)

I want to test my newest layer, so I go into Layer Preview → OpenLayers and it opens a URL like this:
https://example.com/geoserver/dof/wms?service=WMS&version=1.1.0&request=GetMap&layers=dof%3AREGIONER&bbox=441548.9689738757%2C6049494.406376901%2C893480.0854518213%2C6402159.588024116&width=768&height=599&srs=EPSG%3A23032&format=application/openlayers

However, this returns a white map!

In the console, I see the following (I’ve translated it but hopefully it still makes sense):
Blocked mixed content “http://example.com/geoserver/openlayers3/ol.css”

Blocked mixed content “http://example.com/geoserver/openlayers3/ol.js”

Blocked mixed content “http://example.com/geoserver/openlayers3/ol.css”

Blocked mixed content “http://example.com/geoserver/openlayers3/ol.js”

Loading failed for

From what I can find in the code, org/geoserver/wms/map/AbstractOpenLayersMapOutputFormat.java:134 uses this as the baseUrl for the template:
String baseUrl =
ResponseUtils.buildURL(request.getBaseUrl(), “/”, null, URLType.RESOURCE);

The code is a bit too complex for me to create a fix, since I am not sure what ramifications my changes might have, but my guess would be that for the AbstractOpenLayersMapOutputFormat, either the base proxy url from the GeoServer settings or all X-Forwarded type of headers should be considered.

Med venlig hilsen / With regards

ANDERS OLSEN
Software Developer
BirdLife Denmark

_______________________________________________
Geoserver-devel mailing list
[Geoserver-devel@lists.sourceforge.net](mailto:Geoserver-devel@anonymised.comsourceforge.net)
[https://lists.sourceforge.net/lists/listinfo/geoserver-devel](https://lists.sourceforge.net/lists/listinfo/geoserver-devel)

LogoGeomaster, LDA

VENHA DESCOBRIR O CAMINHO DO OPEN SOURCE CONNOSC****O


Avenida Barros e Soares
N.º 423, 4715-214 Braga
VAT/NIF 510 906 109
Phone +351 253 680 323
Site geomaster.pt
GPS 41.53322, -8.41929





Jorge Gustavo Rocha
CTO

Mobile +351 910 333 888
Email jgr@anonymised.com.

Hej Jorge,

I am so sorry, I forgot to include that I have already defined the Proxy URL as https://example.com (No port number, and with HTTPS)

I have noticed that the Demo Requests work with the proxy url, and have dug a bit into the code:

https://github.com/geoserver/geoserver/blob/883865f96d60ad7023e42364966714cfcd720ef1/src/web/demo/src/main/java/org/geoserver/web/demo/DemoRequestsPage.java#L157-L175

In this snippet, I can see that the code tests if the proxyBaseUrl is set either in GeoServerExtensions or in the settings, and only uses the request’s baseURL if no proxy URL is set.

In the OpenLayers Preview, it jumps directly to using the request’s baseURL and does not consider if the proxy base URL is set.

My first intuition is that the code from the DemoRequestsPage.java can be reused in the AbstractOpenLayersMapOutputFormat.java without side-effects, but I am not sure.

(attachments)

cropped-geomaster300x300-1.png

···


ANDERS OLSEN
Softwareudvikler
Software Developer

Vesterbrogade 138-140 | 1620 København V | dof@…5462… | www.dof.dk

Fra: Jorge Gustavo Rocha <jgr@…4991…>
Organisation: Geomaster, Lda
Dato: tirsdag den 12. marts 2019 kl. 13.42
Til:geoserver-devel@lists.sourceforge.netgeoserver-devel@lists.sourceforge.net
Emne: Re: [Geoserver-devel] Layer Preview - OpenLayers does not work with a SSL Reverse Proxy

Hi Anders,

Maybe you can do a simple fix by defining “Proxy based URL”. Go to Settings → Global and set “Proxy based URL” to your domain, with or without the port. Test it.

Regards,

Jorge Gustavo

Às 20:19 de 11/03/19, Anders Olsen escreveu:

Hello!

I am currently using GeoServer 2.15.0 through a Tomcat running on port 8080.
To control which webapps are available on my various domains, I run a reverse proxy with Apache in front on port 80, using a normal ProxyPass & ProxyPassReverse

I also have SSL setup, so in short, my setup is like this:

https://example.com/geoserverhttp://example.com:8080/geoserver (I have substituted my real domain with an example)

I want to test my newest layer, so I go into Layer Preview → OpenLayers and it opens a URL like this:

https://example.com/geoserver/dof/wms?service=WMS&version=1.1.0&request=GetMap&layers=dof%3AREGIONER&bbox=441548.9689738757%2C6049494.406376901%2C893480.0854518213%2C6402159.588024116&width=768&height=599&srs=EPSG%3A23032&format=application/openlayers

However, this returns a white map!

In the console, I see the following (I’ve translated it but hopefully it still makes sense):

Blocked mixed content “http://example.com/geoserver/openlayers3/ol.css”

Blocked mixed content “http://example.com/geoserver/openlayers3/ol.js”

Blocked mixed content “http://example.com/geoserver/openlayers3/ol.css”

Blocked mixed content “http://example.com/geoserver/openlayers3/ol.js”

Loading failed for

From what I can find in the code, org/geoserver/wms/map/AbstractOpenLayersMapOutputFormat.java:134 uses this as the baseUrl for the template:

String baseUrl =
ResponseUtils.buildURL(request.getBaseUrl(), “/”, null, URLType.RESOURCE);

The code is a bit too complex for me to create a fix, since I am not sure what ramifications my changes might have, but my guess would be that for the AbstractOpenLayersMapOutputFormat, either the base proxy url from the GeoServer settings or all X-Forwarded type of headers should be considered.

Med venlig hilsen / With regards

ANDERS OLSEN

Software Developer

BirdLife Denmark

_______________________________________________
Geoserver-devel mailing list
[Geoserver-devel@lists.sourceforge.net](mailto:Geoserver-devel@lists.sourceforge.net)
[https://lists.sourceforge.net/lists/listinfo/geoserver-devel](https://lists.sourceforge.net/lists/listinfo/geoserver-devel)

LogoGeomaster, LDA

VENHA DESCOBRIR O CAMINHO DO OPEN SOURCE CONNOSCO




Avenida Barros e Soares
N.º 423, 4715-214 Braga
VAT/NIF 510 906 109
Phone +351 253 680 323
Site geomaster.pt
GPS 41.53322, -8.41929










Jorge Gustavo Rocha
CTO

Mobile +351 910 333 888
Email jgr@…4991…

If you debug inside this method call, you should see the method calling the URLManglers, and in particular the ProxifyingURLMangler,
which is tasked with replacing the base URL… with step by step debugging you should see if it’s called, and if so, why it’s not working.
Let us know what you find out.

Cheers
Andrea

···

GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.