Raisin icon indicating copy to clipboard operation
Raisin copied to clipboard

Published 20 hours ago verified publisher icon khrt

Reverse proxy not done correctly

Open djzort opened this issue 4 years ago • 7 comments

The changes in #101 are not what you want

People should just use

https://metacpan.org/pod/Plack::Middleware::ReverseProxy

Which covers of all the variables

djzort avatar Jun 22 '20 16:06 djzort

Hello @djzort, thanks for your hint, I'll have another look at it.

hidden-primary-net avatar Jun 23 '20 08:06 hidden-primary-net

Hi @djzort, what is your proposal? The swagger spec part is created once, I do not see how a middleware could kick in here.

hidden-primary-net avatar Jun 23 '20 08:06 hidden-primary-net

Possibly P::M::ReverseProxy wont do it at this moment, but along those lines my concern is that reverse proxy variables are notoriously non standard (hence the X). Although there is actually now a standard in https://tools.ietf.org/html/rfc7239

It would be better to make use of an external module who's purpose is to make sense of reverse proxies, rather than taking on maintaining a solution to the problem in Raisin

djzort avatar Jun 23 '20 23:06 djzort

So you're suggesting to provide the correct values to Raisin? At the moment the plugin takes care, this would require to move the environment handling from the plugins to Raisin itself and to have the plugins configured when needed. Did I get you right?

hidden-primary-net avatar Jun 24 '20 05:06 hidden-primary-net

Ideally it should be handled by Plack::Middleware if thats what you mean, since its a protocol mutator

djzort avatar Jun 24 '20 07:06 djzort

@hidden-primary-net, I'd like to try to reproduce your problem to see how it can be solved with Plack middlewares.

To do that would you mind telling me what software do you use for proxying, and if it is configured a some special way? Would you mind helping with this?

khrt avatar Jun 24 '20 18:06 khrt

Hi @khrt, we have the swagger service running in a plack process bound to localhost. An apache reverse proxy in front does the TLS termination. It's not too magical:

<VirtualHost *:443>
  ServerName ...

  ## Vhost docroot
  DocumentRoot ...

  <Location "/swagger/x/">
    Require valid-user
    AuthType basic
    AuthName "Restricted area"
    AuthBasicProvider file
    AuthUserFile ...
      ## Request Header rules
            RequestHeader set X-BSS ...
  </Location>

  ## Logging
  ErrorLog ...
  CustomLog ...
  ServerSignature Off

  ## Proxy rules
  ProxyRequests Off
  ProxyPreserveHost Off
  ProxyPass /probe !
  ProxyPassReverse /probe !
  ProxyPass /swagger/x/ http://localhost:30180/
  ProxyPassReverse /swagger/x/ http://localhost:30180/

  ## SSL directives
  SSLEngine on
  SSLCertificateFile ...
  SSLCertificateKeyFile ...
  SSLProtocol ...
  SSLCipherSuite ...
  SSLVerifyClient ...

  ## Custom fragment
  ProxyTimeout 180
</VirtualHost>

What bit me was that initially calling http://localhost:30180/swagger initializes the spec info for the live of the process with the localhost data. We also want to use a swagger-ui that relies on the information from the swagger file, they need to be correct.

hidden-primary-net avatar Jun 25 '20 17:06 hidden-primary-net