Reverse proxy - empty context (missing trailing slash) results in wrong redirect

[joachimnielandt]

Hello everyone,

I am deploying version 2023.0 to a Kubernetes environment. The Inspire Validator now runs behind a Traefik reverse proxy. As configured, I have an external url (https://external/inspirevalidator) that redirects to the internal service (http://internal/validator:8090) through a path rewrite (in traefik). This works fine, except:

• https://external/inspirevalidator/ is fine
• https://external/inspirevalidator will fail - a redirect is triggered

My current understanding is that the spring boot application gets an empty context (no slash or path) and builds an absolute path (hostname + port + path) to perform a redirect. This absolute path fails:

• when unconfigured, the hostname is the internal pod name
• when passing the hostname as a header, this results in a redirect to https://external:8090, which includes the port so that fails as well

My question is: can I configure the docker container to have the empty context redirect to a relative /, instead? Or is this perhaps not the actual issue? Is there a 'proper' way of avoiding this problem and configuring the docker container to have a non-trailing-slash redirect?

[fernandocuevasgdtel]

Dear @joachimnielandt,

thank you for reporting the issue. We have analyzed it and it seems that it could be a problem with the etf-config properties, maybe the url set includes a final slash, could you check? We will conduct further testing so we can provide you with more feedback from our side, but it would be appreciated if you could provide us with any additional information.

Best regards,

[joachimnielandt]

Dear @fernandocuevasgdtel ,

Could you tell me how to modify / check the etf-config properties in a docker setup? Is that a file in the container itself, can it be modified through environment variables?

I have replicated a minimal working example in docker-compose (see below). This illustrates the problem, although the path rewrite is not a correct solution as the container itself will build URL's, based on an incorrect hostname, anyway (example: when running 'test results' in the UI, an http request is launched to localhost:8090, which would be incorrect in this setup).

When running the below docker-compose, the following is available:

• http://inspirevalidator.localhost/validator
• http://inspirevalidator2.localhost/inspirevalidator/

version: "3.3"

services:

  traefik:
    image: "traefik:v2.9"
    container_name: "traefik"
    command:
      - "--api.insecure=true"
      - "--api.dashboard=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
    ports:
      - "80:80"
      - "8080:8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  inspirevalidator:
    image: "docker.pkg.github.com/inspire-mif/helpdesk-validator/inspire-validator:2023.1"
    container_name: "inspire-validator"
    labels:
      - "traefik.enable=true"
      # this results in http://inspirevalidator.localhost/validator redirecting to http://inspirevalidator.localhost:8090/validator/
      - "traefik.http.routers.inspirevalidator.rule=Host(`inspirevalidator.localhost`)"
      - "traefik.http.routers.inspirevalidator.entrypoints=web"
      - "traefik.http.services.inspirevalidator.loadbalancer.server.port=8090"

  inspirevalidator2:
    image: "docker.pkg.github.com/inspire-mif/helpdesk-validator/inspire-validator:2023.1"
    container_name: "inspire-validator2"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.inspirevalidator2.rule=Host(`inspirevalidator2.localhost`)"
      # http://inspirevalidator2.localhost/inspirevalidator/ redirects properly, without trailing slash it doesn't
      - "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/inspirevalidator/?(.*)"
      - "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/validator/$$1"
      - "traefik.http.routers.inspirevalidator2.entrypoints=web"
      - "traefik.http.routers.inspirevalidator2.middlewares=test-replacepathregex@docker"
      - "traefik.http.services.inspirevalidator2.loadbalancer.server.port=8090"

[joachimnielandt]

I tried to investigate a bit more and mounted the file in the pod as follows:

/etf/config/etf-config.properties modified etf.webapp.base.url to the proper one modified etf.branding.text to have a visual check on the change

However, the instance doesn't seem to use this file. The branding text is original, and I still see a call to 'localhost:8090' when clicking on the Test reports tab.

In the pod, I see another file that could be relevant:

/tmp/jetty/jetty-0.0.0.0-8080-validator.war-_validator-any-3076865940623601803.dir/webapp/WEB-INF/classes/etf-config.properties

This still contains the original content. However, this seems to be a generated directory and not ideal to place static custom configuration?

Hmm, now that I'm rereading the documentation: seems like it's necessary to make a custom docker image to apply these domain changes? It seems like it would be cleaner to make the base image configurable?

[joachimnielandt]

Eliminated the localhost issues by modifying the following two files through a configmap in the pods:

/etf/config/etf-config.properties
/etf/validator/js/config.js

This bypasses the need to modify the validator.war and ui.zip files - to check whether this is sufficient.

[jenriquesoriano]

Dear @joachimnielandt ,

thanks for your contribution and finally solving this issue in your specific deployment. We can consider this issue closes.

Best regards,