[Geoserver-users] problem with configuration

GeoServer GeoServer User
1

Hello,

I’m fairly new with geoserver so forgive me if this seems trivial to you.

We are in a situation were we need to serve geoserver behind a reverse proxy; Every time I try to access geoserver at the address

https://myserver/geoserver/

I get redirected to

http://myserver/geoserver/web

more, if I access

https://myserver/geoserver/web/

I get the GUI but once i try to enter username & password, the login action redirects again on http. Looks like the login has been performed because if I add https in front of the page I am logged in.

It looks like somewhere the server is not reading the protocol correctly (or maybe it is, just not reading the request correctly)

We have an apache in front of GeoServer with mod_proxy and ajp enabled.

We can play with the apache,unfortunately we cannot touch the reverse proxy (belongs to an entity that is not very collaborative) and it is only going to accept https connections, while we have (don’t ask why, I have no reasonable answer to give you) to talk via http to the proxy.

I have tried to set the following properties in web.xml :

PROXY_BASE_URL
Reverse Proxy Filter

​together and one at time without success. I have also tried the Proxy Base Url parameter in Settings->Global without success (I suppose it has the same effect as the property in web.xml).

this is the version (About GeoServer) of our server :
Version 2.1.4
Subversion Revision 17150
Build Date 01-Jun-2012 17:02
GeoTools Version 2.7.5 (rev 38793)

Any hint would really be appreciated

TIA


Marco Ferretti

facebooktwitterLinkedinWebsitepublic key

2

Hi Marco,

my commiseration to you as I know from my own experience how it is to have
to deal with a 'not collaborative entity...'

However, if they have a reverse proxy, so can you.

I suppose there is no problem to get to the server where Apache sits from
the outside. Also that you can access the httpd.conf on this server. If
these preconditions aren't met the rest of what I am writing is meaningless.

Uncomment the relevant modules in the Apache httpd.conf.

LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so

ProxyRequests Off
ProxyPreserveHost On
ProxyVia On

<Proxy *>
Order deny,allow
Allow from all
</Proxy>

ProxyPass /geoserver_pWMS
http://server_where_your_geoserver_is:8080/geoserver
ProxyPassReverse /geoserver_pWMS
http://server_where_your_geoserver_is:8080/geoserver_pWMS
<Location /geoserver_pWMS>
    Order allow,deny
    Allow from all
</Location>

As you see, because the pass to where the request is proxied to is an URL
the geoserver does not even need to sit on the same machine as Apache. Any
machine on your internal network that is visible will do. If you have the
means you could run your own Google-sized infrastructure behind this proxy.

Works a treat, a geoserver behind two reverse proxies See:

http://services.land.vic.gov.au/geoserver_pWMS

That doesn't make it faster but as in your situation that is what I have to
work with.

The geoserver install is then a simple standard install and has the added
advantage that you do not stuff up your layer preview, which you do when you
fill in the 'Proxy Base URL' in the 'Global' settings.

Cheers

Christian

-----
____________________________

Dr Christian Maul
Project Manager

Information Services Branch
Department Environment and Primary Industries
Level13, Marland House, 570 Bourke Street
Melbourne 3000

PO Box 500, East Melbourne Vic 3002

Telephone: +61-3-8636 2325
Telefax: +61-3-8636 2813
--
View this message in context: http://osgeo-org.1560.x6.nabble.com/problem-with-configuration-tp5106149p5106225.html
Sent from the GeoServer - User mailing list archive at Nabble.com.

3

Sorry the two locations where it points to have obviously to be the same

ProxyPass /geoserver_pWMS
http://server_where_your_geoserver_is:8080/*geoserver_pWMS*
ProxyPassReverse /geoserver_pWMS
http://server_where_your_geoserver_is:8080/*geoserver_pWMS*
< Location /geoserver_pWMS>
    Order allow,deny
    Allow from all
</Location>

... and if you have Apache on this server as well you might define it leave
out the 8080

-----
____________________________

Dr Christian Maul
Project Manager

Information Services Branch
Department Environment and Primary Industries
Level13, Marland House, 570 Bourke Street
Melbourne 3000

PO Box 500, East Melbourne Vic 3002

Telephone: +61-3-8636 2325
Telefax: +61-3-8636 2813
--
View this message in context: http://osgeo-org.1560.x6.nabble.com/problem-with-configuration-tp5106149p5106261.html
Sent from the GeoServer - User mailing list archive at Nabble.com.

4

Hi Christian,

thanks for your reply.

We already have something similar in place: we use proxy_ajp instead of proxy_http; nonetheless I will give a shot to the configuration you suggested and let you know.

One thing I am not 100% sure got through my previous email is the following :

  1. with our current configuration ( ProxyPass / ajp://localhost:/geoserver) the server responds correctly to the applications (aka: serves maps when called with https)

  2. Had to modify index.html so that the call window.location.replace(“web”); now is window.location.replace(“web/”); in order to have the geoserver GUI respond (still https)

  3. Whenever I call https://myserver/web/ and perform a login (insert username, password & click “login” button) I get redirected to http://myserver/geoserver/ which is never going to reply (reverse proxy will not forward to https)

I have the feeling that I have to investigate on the form action “…/j_spring_security_check” … looks like somewhere it is losing the protocol

Will keep you posted

···

On Thu, Feb 27, 2014 at 3:49 AM, cmaul <Christian.Maul@anonymised.com> wrote:

Sorry the two locations where it points to have obviously to be the same

ProxyPass /geoserver_pWMS
http://server_where_your_geoserver_is:8080/geoserver_pWMS
ProxyPassReverse /geoserver_pWMS
http://server_where_your_geoserver_is:8080/geoserver_pWMS

< Location /geoserver_pWMS>
Order allow,deny
Allow from all

… and if you have Apache on this server as well you might define it leave
out the 8080

Dr Christian Maul
Project Manager

Information Services Branch
Department Environment and Primary Industries
Level13, Marland House, 570 Bourke Street
Melbourne 3000

PO Box 500, East Melbourne Vic 3002

Telephone: +61-3-8636 2325
Telefax: +61-3-8636 2813

View this message in context: http://osgeo-org.1560.x6.nabble.com/problem-with-configuration-tp5106149p5106261.html

Sent from the GeoServer - User mailing list archive at Nabble.com.

Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk

Geoserver-users mailing list
Geoserver-users@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users


Marco Ferretti

facebooktwitterLinkedinWebsitepublic key

5

Ciao Marco,
unrelated question, why GeoServer 2.1.4?

···

Regards,
Simone Giannecchini

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Ing. Simone Giannecchini
@simogeo
Founder/Director

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 333 8128928

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

On Thu, Feb 27, 2014 at 9:45 AM, Marco Ferretti <marco.ferretti@anonymised.com> wrote:

Hi Christian,

thanks for your reply.

We already have something similar in place: we use proxy_ajp instead of proxy_http; nonetheless I will give a shot to the configuration you suggested and let you know.

One thing I am not 100% sure got through my previous email is the following :

  1. with our current configuration ( ProxyPass / ajp://localhost:/geoserver) the server responds correctly to the applications (aka: serves maps when called with https)

  2. Had to modify index.html so that the call window.location.replace(“web”); now is window.location.replace(“web/”); in order to have the geoserver GUI respond (still https)

  3. Whenever I call https://myserver/web/ and perform a login (insert username, password & click “login” button) I get redirected to http://myserver/geoserver/ which is never going to reply (reverse proxy will not forward to https)

I have the feeling that I have to investigate on the form action “…/j_spring_security_check” … looks like somewhere it is losing the protocol

Will keep you posted

Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk

Geoserver-users mailing list
Geoserver-users@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

On Thu, Feb 27, 2014 at 3:49 AM, cmaul <Christian.Maul@anonymised.com> wrote:

Sorry the two locations where it points to have obviously to be the same

ProxyPass /geoserver_pWMS
http://server_where_your_geoserver_is:8080/geoserver_pWMS
ProxyPassReverse /geoserver_pWMS
http://server_where_your_geoserver_is:8080/geoserver_pWMS

< Location /geoserver_pWMS>
Order allow,deny
Allow from all

… and if you have Apache on this server as well you might define it leave
out the 8080

Dr Christian Maul
Project Manager

Information Services Branch
Department Environment and Primary Industries
Level13, Marland House, 570 Bourke Street
Melbourne 3000

PO Box 500, East Melbourne Vic 3002

Telephone: +61-3-8636 2325
Telefax: +61-3-8636 2813

View this message in context: http://osgeo-org.1560.x6.nabble.com/problem-with-configuration-tp5106149p5106261.html

Sent from the GeoServer - User mailing list archive at Nabble.com.

Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk

Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users


Marco Ferretti

facebooktwitterLinkedinWebsitepublic key

6

Ciao Simone,

Good question.

The only answer I can give you is that it was chosen at the time (I wasn’t working here) by a GIS SME for a project … and that’s what we’re working on at the moment.

···

On Thu, Feb 27, 2014 at 9:51 AM, Simone Giannecchini <simone.giannecchini@anonymised.com> wrote:

Ciao Marco,
unrelated question, why GeoServer 2.1.4?


Marco Ferretti

facebooktwitterLinkedinWebsitepublic key

Regards,
Simone Giannecchini

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Ing. Simone Giannecchini
@simogeo
Founder/Director

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 333 8128928

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

On Thu, Feb 27, 2014 at 9:45 AM, Marco Ferretti <marco.ferretti@anonymised.com> wrote:

Hi Christian,

thanks for your reply.

We already have something similar in place: we use proxy_ajp instead of proxy_http; nonetheless I will give a shot to the configuration you suggested and let you know.

One thing I am not 100% sure got through my previous email is the following :

  1. with our current configuration ( ProxyPass / ajp://localhost:/geoserver) the server responds correctly to the applications (aka: serves maps when called with https)

  2. Had to modify index.html so that the call window.location.replace(“web”); now is window.location.replace(“web/”); in order to have the geoserver GUI respond (still https)

  3. Whenever I call https://myserver/web/ and perform a login (insert username, password & click “login” button) I get redirected to http://myserver/geoserver/ which is never going to reply (reverse proxy will not forward to https)

I have the feeling that I have to investigate on the form action “…/j_spring_security_check” … looks like somewhere it is losing the protocol

Will keep you posted

Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk

Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

On Thu, Feb 27, 2014 at 3:49 AM, cmaul <Christian.Maul@anonymised.com> wrote:

Sorry the two locations where it points to have obviously to be the same

ProxyPass /geoserver_pWMS
http://server_where_your_geoserver_is:8080/geoserver_pWMS
ProxyPassReverse /geoserver_pWMS
http://server_where_your_geoserver_is:8080/geoserver_pWMS

< Location /geoserver_pWMS>
Order allow,deny
Allow from all

… and if you have Apache on this server as well you might define it leave
out the 8080

Dr Christian Maul
Project Manager

Information Services Branch
Department Environment and Primary Industries
Level13, Marland House, 570 Bourke Street
Melbourne 3000

PO Box 500, East Melbourne Vic 3002

Telephone: +61-3-8636 2325
Telefax: +61-3-8636 2813

View this message in context: http://osgeo-org.1560.x6.nabble.com/problem-with-configuration-tp5106149p5106261.html

Sent from the GeoServer - User mailing list archive at Nabble.com.

Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk

Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users


Marco Ferretti

facebooktwitterLinkedinWebsitepublic key

7

Ciao Marco,
if the project you are working on has some time in front of it I would consider upgrading to somehting newer, possibly 2.4.x.

···

Regards,
Simone Giannecchini

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Ing. Simone Giannecchini
@simogeo
Founder/Director

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 333 8128928

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

On Thu, Feb 27, 2014 at 10:11 AM, Marco Ferretti <marco.ferretti@anonymised.com> wrote:

Ciao Simone,

Good question.

The only answer I can give you is that it was chosen at the time (I wasn’t working here) by a GIS SME for a project … and that’s what we’re working on at the moment.

On Thu, Feb 27, 2014 at 9:51 AM, Simone Giannecchini <simone.giannecchini@anonymised.com> wrote:

Ciao Marco,
unrelated question, why GeoServer 2.1.4?


Marco Ferretti

facebooktwitterLinkedinWebsitepublic key

Regards,
Simone Giannecchini

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Ing. Simone Giannecchini
@simogeo
Founder/Director

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 333 8128928

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

On Thu, Feb 27, 2014 at 9:45 AM, Marco Ferretti <marco.ferretti@anonymised.com> wrote:

Hi Christian,

thanks for your reply.

We already have something similar in place: we use proxy_ajp instead of proxy_http; nonetheless I will give a shot to the configuration you suggested and let you know.

One thing I am not 100% sure got through my previous email is the following :

  1. with our current configuration ( ProxyPass / ajp://localhost:/geoserver) the server responds correctly to the applications (aka: serves maps when called with https)

  2. Had to modify index.html so that the call window.location.replace(“web”); now is window.location.replace(“web/”); in order to have the geoserver GUI respond (still https)

  3. Whenever I call https://myserver/web/ and perform a login (insert username, password & click “login” button) I get redirected to http://myserver/geoserver/ which is never going to reply (reverse proxy will not forward to https)

I have the feeling that I have to investigate on the form action “…/j_spring_security_check” … looks like somewhere it is losing the protocol

Will keep you posted

Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk

Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

On Thu, Feb 27, 2014 at 3:49 AM, cmaul <Christian.Maul@anonymised.com> wrote:

Sorry the two locations where it points to have obviously to be the same

ProxyPass /geoserver_pWMS
http://server_where_your_geoserver_is:8080/geoserver_pWMS
ProxyPassReverse /geoserver_pWMS
http://server_where_your_geoserver_is:8080/geoserver_pWMS

< Location /geoserver_pWMS>
Order allow,deny
Allow from all

… and if you have Apache on this server as well you might define it leave
out the 8080

Dr Christian Maul
Project Manager

Information Services Branch
Department Environment and Primary Industries
Level13, Marland House, 570 Bourke Street
Melbourne 3000

PO Box 500, East Melbourne Vic 3002

Telephone: +61-3-8636 2325
Telefax: +61-3-8636 2813

View this message in context: http://osgeo-org.1560.x6.nabble.com/problem-with-configuration-tp5106149p5106261.html

Sent from the GeoServer - User mailing list archive at Nabble.com.

Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk

Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users


Marco Ferretti

facebooktwitterLinkedinWebsitepublic key

8

Hi Christian,

as suspected, nothing changes: every POST action on the UI is still referencing the “wrong” protocol (http, shall be https);
I will try to make some tests with a more recent version of GeoServer and let you know

···

On Thu, Feb 27, 2014 at 3:49 AM, cmaul <Christian.Maul@anonymised.com> wrote:

Sorry the two locations where it points to have obviously to be the same

ProxyPass /geoserver_pWMS
http://server_where_your_geoserver_is:8080/geoserver_pWMS
ProxyPassReverse /geoserver_pWMS
http://server_where_your_geoserver_is:8080/geoserver_pWMS

< Location /geoserver_pWMS>
Order allow,deny
Allow from all

… and if you have Apache on this server as well you might define it leave
out the 8080

Dr Christian Maul
Project Manager

Information Services Branch
Department Environment and Primary Industries
Level13, Marland House, 570 Bourke Street
Melbourne 3000

PO Box 500, East Melbourne Vic 3002

Telephone: +61-3-8636 2325
Telefax: +61-3-8636 2813

View this message in context: http://osgeo-org.1560.x6.nabble.com/problem-with-configuration-tp5106149p5106261.html

Sent from the GeoServer - User mailing list archive at Nabble.com.

Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk

Geoserver-users mailing list
Geoserver-users@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users


Marco Ferretti

facebooktwitterLinkedinWebsitepublic key

9

Hi Christian and Simone,

I have updated to Geoserver 2.4.4 and have set the proxy base URL to https://myserver/geoserver/ ; still all the POST requests (eg /j_spring_security_check), at a certain point, are being redirected to http (they seem to work under the hood because it’s a matter of adding https:// in front of the url and everything works again), while GET requests work fine.

Any hint ?

···

On Thu, Feb 27, 2014 at 3:58 PM, Marco Ferretti <marco.ferretti@anonymised.com> wrote:

Hi Christian,

as suspected, nothing changes: every POST action on the UI is still referencing the “wrong” protocol (http, shall be https);
I will try to make some tests with a more recent version of GeoServer and let you know


Marco Ferretti

facebooktwitterLinkedinWebsitepublic key

On Thu, Feb 27, 2014 at 3:49 AM, cmaul <Christian.Maul@anonymised.com> wrote:

Sorry the two locations where it points to have obviously to be the same

ProxyPass /geoserver_pWMS
http://server_where_your_geoserver_is:8080/geoserver_pWMS
ProxyPassReverse /geoserver_pWMS
http://server_where_your_geoserver_is:8080/geoserver_pWMS

< Location /geoserver_pWMS>
Order allow,deny
Allow from all

… and if you have Apache on this server as well you might define it leave
out the 8080

Dr Christian Maul
Project Manager

Information Services Branch
Department Environment and Primary Industries
Level13, Marland House, 570 Bourke Street
Melbourne 3000

PO Box 500, East Melbourne Vic 3002

Telephone: +61-3-8636 2325
Telefax: +61-3-8636 2813

View this message in context: http://osgeo-org.1560.x6.nabble.com/problem-with-configuration-tp5106149p5106261.html

Sent from the GeoServer - User mailing list archive at Nabble.com.

Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk

Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users


Marco Ferretti

facebooktwitterLinkedinWebsitepublic key

10

Hi,

I finally managed to fix the issue. I am reporting my solution here in case it’s needed by someone else.

The problem arises from the way the response in built in Tomcat: it uses the original request in order to determine the response, thus spring security is redirecting the browser on http because Tomcat is actually listening on HTTP (derived this from the sources on Github).

In order to circumnvent this problem without touching geoserver code we added a custom request header on our apache location reserved to geoserver :

RequestHeader set GeoValve "On

Then I wrote a small valve and added it to the tomcat instance that’s serving geoserver in order to rewrite the request with the parameters that were needed :

public class MyGeoValve extends ValveBase {

@Override
public void invoke(Request req, Response resp) throws IOException, ServletException {
if (“On”.equals(req.getHeader(“GeoValve”))) {
req.setSecure(true);
req.getCoyoteRequest().scheme().setString(“https”);
req.getCoyoteRequest().setServerPort(443);
}
if ( getNext() != null ) {
getNext().invoke(req, resp);
}
}
}

···

​Now everything works as expected.​

​Thanks everyone for your help​


Marco Ferretti

facebooktwitterLinkedinWebsitepublic key