[Geoserver-devel] Welcome page workspace/layer selection not working?

Hi,
the welcome page landed today and was readily picked up by GeoSolutions
main branch test server:

https://gs-main.geosolutionsgroup.com/geoserver/web

Unfortunately the workspace/layer selectors are not working, see attached video…
At the same time, I’ve checked things out locally, and they do appear to work… so maybe it’s due to the server being proxied?

Looking at requests in the developer tools, acting on a dropdown just redirects back to web/:

image.png

However the ajax behavior seems to have sent back the right information, I selected the “topp” workspace and there it is in the POST request:

image.png

Cheers
Andrea

(attachments)

···

GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail

Andrea,

I tried to reproduce this and found some more issues;

a) I couldn’t “cd web/app; mvn jetty:run”

  • I get a nullpointerexception - likely because there’s no settings in global.xml
  • i used data/release and it worked fine
    b) When I proxied geoserver, I couldn’t save most configuration options (i.e. change the logging profile)
  • it would give me a “Origin does not correspond to request” error
  • others recommended setting “-DGEOSERVER_CSRF_DISABLED=true”
  • this worked, but now if I change the logging profile it will log me out (but my changes were saved).

Looking with jody…

Dave

On Wed, Sep 28, 2022 at 2:03 AM Andrea Aime <andrea.aime@anonymised.com> wrote:

Hi,
the welcome page landed today and was readily picked up by GeoSolutions
main branch test server:

https://gs-main.geosolutionsgroup.com/geoserver/web

Unfortunately the workspace/layer selectors are not working, see attached video…
At the same time, I’ve checked things out locally, and they do appear to work… so maybe it’s due to the server being proxied?

Looking at requests in the developer tools, acting on a dropdown just redirects back to web/:

However the ajax behavior seems to have sent back the right information, I selected the “topp” workspace and there it is in the POST request:

Cheers
Andrea

==

GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Something is odd, when trying it out it navigated to a page with two “//” characters - https://gs-main.geosolutionsgroup.com//geoserver/web/;jsessionid=90732ABF11409AA223F989BD85E30423?0

I wonder if the proxy is stripping out, or otherwise not set-up to handle, the page parameters? It should work with things like http://localhost:8080/geoserver/web/?1&workspace=ne&layer=countries

Hand editing the URL works:

But navigation on these pages is broken …


Jody Garnett

On Wed, 28 Sept 2022 at 02:03, Andrea Aime <andrea.aime@anonymised.com> wrote:

Hi,
the welcome page landed today and was readily picked up by GeoSolutions
main branch test server:

https://gs-main.geosolutionsgroup.com/geoserver/web

Unfortunately the workspace/layer selectors are not working, see attached video…
At the same time, I’ve checked things out locally, and they do appear to work… so maybe it’s due to the server being proxied?

Looking at requests in the developer tools, acting on a dropdown just redirects back to web/:

image.png

However the ajax behavior seems to have sent back the right information, I selected the “topp” workspace and there it is in the POST request:

image.png

Cheers
Andrea

==

GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Andrea,

I tried to reproduce this and found some more issues;

a) I couldn’t “cd web/app; mvn jetty:run”

  • I get a nullpointerexception - likely because there’s no settings in global.xml
  • i used data/release and it worked fine

Uh yeah, this is bad… GeoServer should be able to start off a completely empty data directory (eventually
with some warning). I thought we had a test to that effect, but I cannot find it…

b) When I proxied geoserver, I couldn’t save most configuration options (i.e. change the logging profile)

  • it would give me a “Origin does not correspond to request” error
  • others recommended setting “-DGEOSERVER_CSRF_DISABLED=true”
  • this worked, but now if I change the logging profile it will log me out (but my changes were saved).

Hum… not sure, I’ll inquire with Alessandro on how the proxying is set up.

Cheers
Andrea

···

GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail

Hi David, andrea

b) When I proxied geoserver, I couldn’t save most configuration options (i.e. change the logging profile)

  • it would give me a “Origin does not correspond to request” error
  • others recommended setting “-DGEOSERVER_CSRF_DISABLED=true”
  • this worked, but now if I change the logging profile it will log me out (but my changes were saved).
    Hum… not sure, I’ll inquire with Alessandro on how the proxying is set up.

I understand this is an unrelated problem with your local environment David. I suggest you check your PROXY_BASE_URL settings.

In terms of proxy config there is nothing special honestly… we’re using Nginx with an explicitly set PROXY_BASE_URL:

image.png

And we are passing the X-Forwarded-** headers from Nginx to GeoServer. That info should be used by GeoServer to understand
what protocols and host are used by the user to connect to it.

We can have a closer look but before we do that are you sure you cannot reproduce it locally on an HTTPS setup?

Thank you,
Alessandro

On Thu, Sep 29, 2022 at 9:46 AM Andrea Aime <andrea.aime@anonymised.com> wrote:

On Thu, Sep 29, 2022 at 1:05 AM David Blasby <david.blasby@anonymised.com> wrote:

Andrea,

I tried to reproduce this and found some more issues;

a) I couldn’t “cd web/app; mvn jetty:run”

  • I get a nullpointerexception - likely because there’s no settings in global.xml
  • i used data/release and it worked fine

Uh yeah, this is bad… GeoServer should be able to start off a completely empty data directory (eventually
with some warning). I thought we had a test to that effect, but I cannot find it…

b) When I proxied geoserver, I couldn’t save most configuration options (i.e. change the logging profile)

  • it would give me a “Origin does not correspond to request” error
  • others recommended setting “-DGEOSERVER_CSRF_DISABLED=true”
  • this worked, but now if I change the logging profile it will log me out (but my changes were saved).

Hum… not sure, I’ll inquire with Alessandro on how the proxying is set up.

Cheers
Andrea

==

GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Regards, Alessandro Parma == GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Alessandro Parma DevOps Engineer GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) Italy phone: +39 340 4752467 fax: +39 0584 1660272 https://www.geosolutionsgroup.com https://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.

Apparently I was always testing with -Prelease :slight_smile:

empty
Starting up from an empty data directory is okay as new objects are made so everything is okay.

  1. some warnings reported here (https://osgeo-org.atlassian.net/browse/GEOS-10685)
  2. starts up okay some odd or missing defaults (https://osgeo-org.atlassian.net/browse/GEOS-10686)
  • starts up okay, only WMTS has “default” title / abstract so it was a good test of ServiceDescriptionProvider
  • not sure about ${organization} ← ha ha

image.png

minimal

it appears that it is using an “old data directory” structure and ends up restored from xstream with a null settings.xml.

David report the error here https://osgeo-org.atlassian.net/jira/software/c/projects/GEOS/issues/GEOS-10678

I do not see anything serious enough to delay 2.22-RC?

···


Jody Garnett

Alessandro:

David was testing with the Proxy Base URL setting correctly.

I am also trying to set up a test environment with apache with mod_proxy as per random blog post instructions (https://www.middlewareinventory.com/blog/docker-reverse-proxy-example/). But I don’t really know what I am doing so it is unlikely to match your setup.

Not sure where to configure the X-Forwarded-** headers.

Did you need to configure https://docs.geoserver.org/stable/en/user/security/webadmin/csrf.html with GEOSERVER_CSRF_WHITELIST or GEOSERVER_CSRF_DISABLED?

(attachments)

image.png

···


Jody Garnett

Hi,

I setup apache (localhost:8111) with this;

ProxyPass “/dave/” “http://localhost:8080/geoserver/
ProxyPassReverse “/dave/” “http://localhost:8080/geoserver/

This means that “localhost:8111/dave/web” takes me to the geoserver homepage (running on localhost:8080).

Inside geoserver, I set the proxy base url to “http://localhost:8111/dave”.

That’s all the configuration I did - I’m not setting any “X-Forwarded-** headers” (unless apache does that automatically).

I found - https://docs.geoserver.org/stable/en/user/configuration/globalsettings.html

I guess I have to set these somehow…

Dave

On Thu, Sep 29, 2022 at 11:41 AM Jody Garnett <jody.garnett@anonymised.com> wrote:

Alessandro:

David was testing with the Proxy Base URL setting correctly.

I am also trying to set up a test environment with apache with mod_proxy as per random blog post instructions (https://www.middlewareinventory.com/blog/docker-reverse-proxy-example/). But I don’t really know what I am doing so it is unlikely to match your setup.

Not sure where to configure the X-Forwarded-** headers.

Did you need to configure https://docs.geoserver.org/stable/en/user/security/webadmin/csrf.html with GEOSERVER_CSRF_WHITELIST or GEOSERVER_CSRF_DISABLED?


Jody Garnett

On Thu, 29 Sept 2022 at 07:01, Alessandro Parma <alessandro.parma@anonymised.com> wrote:

Hi David, andrea

b) When I proxied geoserver, I couldn’t save most configuration options (i.e. change the logging profile)

  • it would give me a “Origin does not correspond to request” error
  • others recommended setting “-DGEOSERVER_CSRF_DISABLED=true”
  • this worked, but now if I change the logging profile it will log me out (but my changes were saved).
    Hum… not sure, I’ll inquire with Alessandro on how the proxying is set up.

I understand this is an unrelated problem with your local environment David. I suggest you check your PROXY_BASE_URL settings.

In terms of proxy config there is nothing special honestly… we’re using Nginx with an explicitly set PROXY_BASE_URL:

image.png

And we are passing the X-Forwarded-** headers from Nginx to GeoServer. That info should be used by GeoServer to understand
what protocols and host are used by the user to connect to it.

We can have a closer look but before we do that are you sure you cannot reproduce it locally on an HTTPS setup?

Thank you,
Alessandro

On Thu, Sep 29, 2022 at 9:46 AM Andrea Aime <andrea.aime@anonymised.com> wrote:

On Thu, Sep 29, 2022 at 1:05 AM David Blasby <david.blasby@anonymised.com> wrote:

Andrea,

I tried to reproduce this and found some more issues;

a) I couldn’t “cd web/app; mvn jetty:run”

  • I get a nullpointerexception - likely because there’s no settings in global.xml
  • i used data/release and it worked fine

Uh yeah, this is bad… GeoServer should be able to start off a completely empty data directory (eventually
with some warning). I thought we had a test to that effect, but I cannot find it…

b) When I proxied geoserver, I couldn’t save most configuration options (i.e. change the logging profile)

  • it would give me a “Origin does not correspond to request” error
  • others recommended setting “-DGEOSERVER_CSRF_DISABLED=true”
  • this worked, but now if I change the logging profile it will log me out (but my changes were saved).

Hum… not sure, I’ll inquire with Alessandro on how the proxying is set up.

Cheers
Andrea

==

GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Regards, Alessandro Parma == GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Alessandro Parma DevOps Engineer GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) Italy phone: +39 340 4752467 fax: +39 0584 1660272 https://www.geosolutionsgroup.com https://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Hi Dave, Jody,

I set -DGEOSERVER_CSRF_WHITELIST=gs-main.geosolutionsgroup.com

Not sure where to configure the X-Forwarded-** headers.

I am not as familiar with Apache HTTP but there’s a chance the headers are already there. Yes, you can enable headers logging directly in geoserver
https://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#enable-request-logging

image.png

image.png

Alessandro

(attachments)

image.png

···

Regards, Alessandro Parma == GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Alessandro Parma DevOps Engineer GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) Italy phone: +39 340 4752467 fax: +39 0584 1660272 https://www.geosolutionsgroup.com https://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.

Hi,

I used
-DGEOSERVER_CSRF_WHITELIST=localhost

(NOTE: no port #. If you put a port# in - localhost:8111 - it will give you errors)

This puts me in the same situation as before (i.e. when you save a configuration change it does save but then logs you out).

Looking at the headers…

REQUEST: http://localhost:8111/dave/web/;jsessionid=node01dcqivgqtv42m1wx5opwiziqxr11.node0?0

Headers;
X-Forwarded-Host: localhost:8111
X-Forwarded-For: ::1

X-Forwarded-Server: localhost

Host: localhost:8080

The only thing that looks a bit dodgy is the X-Forwarded-For: header…

Looking into it…

Dave

On Fri, Sep 30, 2022 at 12:55 AM Alessandro Parma <alessandro.parma@anonymised.com.> wrote:

Hi Dave, Jody,

I set -DGEOSERVER_CSRF_WHITELIST=gs-main.geosolutionsgroup.com

Not sure where to configure the X-Forwarded-** headers.

I am not as familiar with Apache HTTP but there’s a chance the headers are already there. Yes, you can enable headers logging directly in geoserver
https://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#enable-request-logging

Alessandro

On Fri, Sep 30, 2022 at 4:29 AM David Blasby <david.blasby@anonymised.com> wrote:

Hi,

I setup apache (localhost:8111) with this;

ProxyPass “/dave/” “http://localhost:8080/geoserver/
ProxyPassReverse “/dave/” “http://localhost:8080/geoserver/

This means that “localhost:8111/dave/web” takes me to the geoserver homepage (running on localhost:8080).

Inside geoserver, I set the proxy base url to “http://localhost:8111/dave”.

That’s all the configuration I did - I’m not setting any “X-Forwarded-** headers” (unless apache does that automatically).

I found - https://docs.geoserver.org/stable/en/user/configuration/globalsettings.html

I guess I have to set these somehow…

Dave

On Thu, Sep 29, 2022 at 11:41 AM Jody Garnett <jody.garnett@anonymised.com> wrote:

Alessandro:

David was testing with the Proxy Base URL setting correctly.

I am also trying to set up a test environment with apache with mod_proxy as per random blog post instructions (https://www.middlewareinventory.com/blog/docker-reverse-proxy-example/). But I don’t really know what I am doing so it is unlikely to match your setup.

Not sure where to configure the X-Forwarded-** headers.

Did you need to configure https://docs.geoserver.org/stable/en/user/security/webadmin/csrf.html with GEOSERVER_CSRF_WHITELIST or GEOSERVER_CSRF_DISABLED?


Jody Garnett

On Thu, 29 Sept 2022 at 07:01, Alessandro Parma <alessandro.parma@anonymised.com> wrote:

Hi David, andrea

b) When I proxied geoserver, I couldn’t save most configuration options (i.e. change the logging profile)

  • it would give me a “Origin does not correspond to request” error
  • others recommended setting “-DGEOSERVER_CSRF_DISABLED=true”
  • this worked, but now if I change the logging profile it will log me out (but my changes were saved).
    Hum… not sure, I’ll inquire with Alessandro on how the proxying is set up.

I understand this is an unrelated problem with your local environment David. I suggest you check your PROXY_BASE_URL settings.

In terms of proxy config there is nothing special honestly… we’re using Nginx with an explicitly set PROXY_BASE_URL:

image.png

And we are passing the X-Forwarded-** headers from Nginx to GeoServer. That info should be used by GeoServer to understand
what protocols and host are used by the user to connect to it.

We can have a closer look but before we do that are you sure you cannot reproduce it locally on an HTTPS setup?

Thank you,
Alessandro

On Thu, Sep 29, 2022 at 9:46 AM Andrea Aime <andrea.aime@…6887…> wrote:

On Thu, Sep 29, 2022 at 1:05 AM David Blasby <david.blasby@anonymised.com> wrote:

Andrea,

I tried to reproduce this and found some more issues;

a) I couldn’t “cd web/app; mvn jetty:run”

  • I get a nullpointerexception - likely because there’s no settings in global.xml
  • i used data/release and it worked fine

Uh yeah, this is bad… GeoServer should be able to start off a completely empty data directory (eventually
with some warning). I thought we had a test to that effect, but I cannot find it…

b) When I proxied geoserver, I couldn’t save most configuration options (i.e. change the logging profile)

  • it would give me a “Origin does not correspond to request” error
  • others recommended setting “-DGEOSERVER_CSRF_DISABLED=true”
  • this worked, but now if I change the logging profile it will log me out (but my changes were saved).

Hum… not sure, I’ll inquire with Alessandro on how the proxying is set up.

Cheers
Andrea

==

GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Regards, Alessandro Parma == GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Alessandro Parma DevOps Engineer GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) Italy phone: +39 340 4752467 fax: +39 0584 1660272 https://www.geosolutionsgroup.com https://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Regards, Alessandro Parma == GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Alessandro Parma DevOps Engineer GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) Italy phone: +39 340 4752467 fax: +39 0584 1660272 https://www.geosolutionsgroup.com https://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.

Ok, in order to get apache to properly forward the session cookies to geoserver I needed to;

ProxyPass “/dave/” “http://localhost:8080/geoserver/
ProxyPassReverse “/dave/” “http://localhost:8080/geoserver/
ProxyPassReverseCookiePath /geoserver /

i.e. a cookie is send from geoserver (with path=/geoserver). Apache proxy will re-create this as a “/” cookie. If it didn’t do this the cookie would never be attached to the requests (since the actual browser url is http://localhost:8111/dave/web/ (and doesn’t have a /geoserver).

I think it would be better to be “ProxyPassReverseCookiePath /geoserver /dave”, but the above works.

End result - now you can make config changes in GS and you’re not logged out.

Will look at the welcome page issue - thanks for the help!

Dave

On Mon, Oct 3, 2022 at 9:22 AM David Blasby <david.blasby@anonymised.com> wrote:

Hi,

I used
-DGEOSERVER_CSRF_WHITELIST=localhost

(NOTE: no port #. If you put a port# in - localhost:8111 - it will give you errors)

This puts me in the same situation as before (i.e. when you save a configuration change it does save but then logs you out).

Looking at the headers…

REQUEST: http://localhost:8111/dave/web/;jsessionid=node01dcqivgqtv42m1wx5opwiziqxr11.node0?0

Headers;
X-Forwarded-Host: localhost:8111
X-Forwarded-For: ::1

X-Forwarded-Server: localhost

Host: localhost:8080

The only thing that looks a bit dodgy is the X-Forwarded-For: header…

Looking into it…

Dave

On Fri, Sep 30, 2022 at 12:55 AM Alessandro Parma <alessandro.parma@anonymised.com…> wrote:

Hi Dave, Jody,

I set -DGEOSERVER_CSRF_WHITELIST=gs-main.geosolutionsgroup.com

Not sure where to configure the X-Forwarded-** headers.

I am not as familiar with Apache HTTP but there’s a chance the headers are already there. Yes, you can enable headers logging directly in geoserver
https://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#enable-request-logging

Alessandro

On Fri, Sep 30, 2022 at 4:29 AM David Blasby <david.blasby@anonymised.com> wrote:

Hi,

I setup apache (localhost:8111) with this;

ProxyPass “/dave/” “http://localhost:8080/geoserver/
ProxyPassReverse “/dave/” “http://localhost:8080/geoserver/

This means that “localhost:8111/dave/web” takes me to the geoserver homepage (running on localhost:8080).

Inside geoserver, I set the proxy base url to “http://localhost:8111/dave”.

That’s all the configuration I did - I’m not setting any “X-Forwarded-** headers” (unless apache does that automatically).

I found - https://docs.geoserver.org/stable/en/user/configuration/globalsettings.html

I guess I have to set these somehow…

Dave

On Thu, Sep 29, 2022 at 11:41 AM Jody Garnett <jody.garnett@anonymised.com> wrote:

Alessandro:

David was testing with the Proxy Base URL setting correctly.

I am also trying to set up a test environment with apache with mod_proxy as per random blog post instructions (https://www.middlewareinventory.com/blog/docker-reverse-proxy-example/). But I don’t really know what I am doing so it is unlikely to match your setup.

Not sure where to configure the X-Forwarded-** headers.

Did you need to configure https://docs.geoserver.org/stable/en/user/security/webadmin/csrf.html with GEOSERVER_CSRF_WHITELIST or GEOSERVER_CSRF_DISABLED?


Jody Garnett

On Thu, 29 Sept 2022 at 07:01, Alessandro Parma <alessandro.parma@anonymised.com> wrote:

Hi David, andrea

b) When I proxied geoserver, I couldn’t save most configuration options (i.e. change the logging profile)

  • it would give me a “Origin does not correspond to request” error
  • others recommended setting “-DGEOSERVER_CSRF_DISABLED=true”
  • this worked, but now if I change the logging profile it will log me out (but my changes were saved).
    Hum… not sure, I’ll inquire with Alessandro on how the proxying is set up.

I understand this is an unrelated problem with your local environment David. I suggest you check your PROXY_BASE_URL settings.

In terms of proxy config there is nothing special honestly… we’re using Nginx with an explicitly set PROXY_BASE_URL:

image.png

And we are passing the X-Forwarded-** headers from Nginx to GeoServer. That info should be used by GeoServer to understand
what protocols and host are used by the user to connect to it.

We can have a closer look but before we do that are you sure you cannot reproduce it locally on an HTTPS setup?

Thank you,
Alessandro

On Thu, Sep 29, 2022 at 9:46 AM Andrea Aime <andrea.aime@…6887…> wrote:

On Thu, Sep 29, 2022 at 1:05 AM David Blasby <david.blasby@anonymised.com> wrote:

Andrea,

I tried to reproduce this and found some more issues;

a) I couldn’t “cd web/app; mvn jetty:run”

  • I get a nullpointerexception - likely because there’s no settings in global.xml
  • i used data/release and it worked fine

Uh yeah, this is bad… GeoServer should be able to start off a completely empty data directory (eventually
with some warning). I thought we had a test to that effect, but I cannot find it…

b) When I proxied geoserver, I couldn’t save most configuration options (i.e. change the logging profile)

  • it would give me a “Origin does not correspond to request” error
  • others recommended setting “-DGEOSERVER_CSRF_DISABLED=true”
  • this worked, but now if I change the logging profile it will log me out (but my changes were saved).

Hum… not sure, I’ll inquire with Alessandro on how the proxying is set up.

Cheers
Andrea

==

GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Regards, Alessandro Parma == GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Alessandro Parma DevOps Engineer GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) Italy phone: +39 340 4752467 fax: +39 0584 1660272 https://www.geosolutionsgroup.com https://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Regards, Alessandro Parma == GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Alessandro Parma DevOps Engineer GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) Italy phone: +39 340 4752467 fax: +39 0584 1660272 https://www.geosolutionsgroup.com https://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.