Example role configuration for reverse proxy

[wilhelmi]

Trying to setup ArcGis server behind a reverse proxy other than the Web Adapter if possible. Right now it sort of works. I can get to the /manager GUI, but the /admin GUI and map previews doesn't work due to path and redirect issues.

Does anyone have any example role configurations for what needs to be set as node properties for a fully functioning server instance behind a reverse proxy?

[cameronkroeker]

Hi @wilhelmi,

I recommend including the WebContextURL property in the attribute role json file.

node['arcgis']['server']['web_context_url']

https://github.com/Esri/arcgis-cookbook/tree/master/cookbooks/arcgis-enterprise#server

Will also want to configure the reverse proxy headers:

https://enterprise.arcgis.com/en/server/latest/deploy/linux/using-a-reverse-proxy-server-with-arcgis-server.htm#ESRI_SECTION1_7C21416FDBFA440191ADF803B70C7DA5

Happy Automating, Cameron K.

[wilhelmi]

Any pointers setting the web context URL?

Configuring the machine via chef-solo, the role json I am running is:

{
  "name": "server-role",
  "description": "",
  "json_class": "Chef::Role",
  "default_attributes": {
    "arcgis": {
      "run_as_user": "****",
      "run_as_password": "****",
      "version": "10.7",
      "configure_windows_firewall": "true",
      "cache_authorization_files": "true",
      "server": {
        "admin_username": "****",
        "admin_password": "****",
        "directories_root": "C:\\customer-site",
        "install_system_requirements": "true",
        "authorization_file": "****.prvc",
        "wa_name": "cust",
        "wa_url": "https://sample.com/cust/",
        "web_context_url": "https://sample.com/cust/"
      }
    }
  },
  "chef_type": "role",
  "run_list": [
    "recipe[arcgis-enterprise::system]",
    "recipe[arcgis-enterprise::server]"
  ]
}

This will create the site, however if I go to the admin gui the web_context_url property is not set. What am I missing?

Thanks!

[cameronkroeker]

@wilhelmi

I've confirmed that currently the node['arcgis']['server']['web_context_url'] is only used in the federation block.

Current design does not populate the webcontexturl within the AGS admin properties. One workaround would be to use /arcgis in the Reverse Proxy URL:

If you're using a reverse proxy server and the URL to your site does not end with the default string /arcgis (all lowercase), you should also set the ArcGIS Server WebContextURL property. This helps ArcGIS Server construct the correct URLs on all resources it sends to the end user.

Otherwise if using something other than /arcgis in the Reverse Proxy url, for now it will have to be manually added by going to :6443/arcgis/admin/system/properties/update and add:

{
   "WebContextURL": "https://sample.com/cust"
}

[wilhelmi]

Any suggested approaches to plagiarizing some existing code to set this is a wrapper cookbook?

[wilhelmi]

Trying to update this by hand and still no luck. The goal is to use the first part of the URL path to route to the correct instance. ex:

https://sample.com/path1 -> routed to instance #1 https://sample.com/path2 -> routed to instance #2

If I set the web_context_url to https://sample.com/path1/ and set up a rewrite/forwarding rule in the reverse proxy to replace /path1/ with /arcgis/. In a browser, https://sample.com/path1/manager works. Looking at network traffic on the Arc Server VM the http request comes into /arcgis/manager. X-Forwarded-Host is also set to the correct dns name of the reverse proxy, sample.com for this example.

However map previews and https://sample.com/path1/admin do not work, they redirect back to http://sample.com/arcgis/admin which 404 at the reverse proxy.

From what I can read in the docs, seems like this should be possible? Reference to myGis path.

Any ideas what needs to get set to make this work?

Note I tried various combinations of path1/arcgis/manager settings and urls and just get 404's for the arc server.

Thanks for any ideas!

[cameronkroeker]

Hi @wilhelmi,

I'm not quite sure I understand the need for the rewrite/forwarding rule to replace /path1/ to /arcgis/ if the webcontexturl is being set to {"WebContextURL": "https://sample.com/path1"}.

Here is an example, if using Apache, (with Web Adaptor)

ProxyPass /path1 https://webadaptor.domain.com/path1 ProxyPassReverse /path1 https://webadaptor.domain.com/path1

{"WebContextURL": "https://sample.com/path1"}

without Web Adaptor:

ProxyPass /arcgis https://gisserver.domain.com:6443/arcgis ProxyPassReverse /arcgis https://gisserver.domain.com:6443/arcgis

{"WebContextURL": "https://sample.com/arcgis"}

[wilhelmi]

I am trying to do selective routing, and maybe that isn't possible here?

In this case, I have 2 arc server instances, AS1 & AS2 for simplicity.

https://sample.com/path1/arcgis -> routed to AS1 https://sample.com/path2/arcgis -> routed to AS2

Trying to figure out the configuration that would let me browse to: https://sample.com/path1/ and get to the services on the AS1 instance. Such as /admin /manager etc

I was hoping to skip installing the WA to keep things simple, but maybe I have to do that for each instance?

The most success I have had is:

AS1: WebContextUrl = "https://sample.com/path1/" Front end reverse proxy is configured to match /path1 and replace it with /arcgis. This routes it to the right backend.

In a browser https://sample.com/path1/manager interface works, the /admin doesn't some of the map previews don't either.

Reading the docs it would imply the WA is simply a LB / RP and could be replaced with 3rd party tools?

[cameronkroeker]

@wilhelmi

The RP/NLB context name can only go one level deep:

If you do not use ArcGIS Web Adaptor in your deployment, be sure that the reverse proxy server's context name only goes one URL level deep. For example, you can have a reverse proxy URL such as https://proxy.domain.com/enterprise, but you cannot have a reverse proxy URL such as https://proxy.domain.com/myorg/enterprise.

Though this is in the Portal doc it also applies to AGS as well. So configuring https://sample.com/path2/arcgis won't work unfortunately.

That is correct though, the Web Adaptor is Esri's implementation of a reverse proxy/load balancer (in multi-note sites). It is completely optional, unless using Integrated Windows Authentication then it is required.

[wilhelmi]

Made some progress:

WebContextUrl = "https://sample.com/path1/" Rewrite Rule -> match on /path1 and replace with /arcgis

(so keeping with your note on 1 level deep)

From tracing WA traffic added the following headers from the RP: X-Forwarded-Url-Base:/path1 X-Forwarded-Request-Context: https://sample.com/path1

This gets pretty close with only a couple of redirect hiccups:

https://sample.com/path1/manager/ -> Works as expected.

https://sample.com/path1/rest  -> Redirects to -> http://sample.com/arcgis/rest/ (fails) https://sample.com/path1/rest/services -> Works as expected.

https://sample.com/path1/admin/ -> Loads login page as expected Submit Login -> Redirects to -> http://sample.com/arcgis/admin/ (fails) Manually reload https://sample.com/path1/admin/ -> Logged in and works as expected

[cameronkroeker]

@wilhelmi

Interesting, so its redirecting to http url's. I would check to ensure AGS, WA and RP all have the same HTTP/HTTPS settings. Meaning if AGS has HTTP (6080) and HTTPS (6443) enabled, then the WA (IIS or web server where it resides) has HTTP (80) and HTTPS (443) enabled, as well as the RP HTTP (80) and HTTPS (443) enabled.

Alternatively, if AGS only has HTTPS (6443) enabled then we will want the WA to also only have HTTPS (443) as well as RP HTTPS (443).

[wilhelmi]

I set the AGS to be https only, and RP is as well, that gets it down to just a path redirect problem.

1) https://sample.com/path1/admin/login (200 loads fine)

2) Enter username and password -> POST to: https://sample.com/path1/admin/login?redirect=

3) Post returns a 302 with a location of https://sample.com/path1/admin

4) Browser does a GET to: https://sample.com/path1/admin which returns a 302 with a location of: https://sample.com/arcgis/admin/

5) Browser does a GET to https://sample.com/arcgis/admin/ which fails with a 404

6) Now if a manually put the url from step 3 in the browser again is succeeds with a 200 from there.

Updated:

So the issue is a missing trailing /

• https://sample.com/path1/admin/ works

• https://sample.com/path1/admin -> does a redirect to https://sample.com/arcgis/admin

So the problem is both the login and signout functions return URLs without the trailing slash leading to 404s once they complete.

[cameronkroeker]

@wilhelmi Since we are no longer troubleshooting Chef, but rather manually configuring a RP with AGS I am going to recommend reaching out to Esri's Technical Support for further assistance.

[cameronkroeker]

To use a Reverse Proxy with AGS set the following two parameters within the json file:

node['arcgis']['server']['system_properties'] = ArcGIS Server system properties. Default value is {}.

and

node['arcgis']['server']['web_context_url'] = ArcGIS server web context URL. By default, this is 'https://<Domain name>/<WA name>.

Example json:

"arcgis": {
    "version":"10.8",
    "server": {
         "web_context_url":"https://myreverseproxy.domain.com/server",
      "system_properties":{
        "WebContextURL": "https://myreverseproxy.domain.com/server"
      }
    }

The node['arcgis']['server']['web_context_url'] will be used for the Federation Services URL, and the node['arcgis']['server']['system_properties'] will set the actual web_context_url property within Server Admin API.