Open birkland opened 5 years ago
derekbelrose
commented
5 years ago here is what is happening right now:
ProxyPassReverse /fcrepo https://${FCREPO_HOST}:${FCREPO_PORT}/fcrepo/
ProxyPass /fcrepo ajp://${FCREPO_HOST}:8009/fcrepoCan you please restate what you expect the proxy to do and in what situations you expect it to happen?
derekbelrose
commented
5 years ago looking at the logs, it appears you want me to proxy for /fcrepo/rest and not for /fcrepo.
Is this correct?
birkland
commented
5 years ago It's more along the lines of "assure that every request to Fedora, the user service, or its tomcat container originating from the public network passes through shibboleth"
The logged request came in on the http connector, not the ajp connector as anticipated. The ProxyPass directive looks good. However, it seems like this request took another path in. So this ticket is to figure out how that un-authenticated and un-shibbolized request got to fedora, and assure that such requests won't make it to Fedora at all. There should never be http requests from the outside world that reach Fedora's tomcat container. They should be AJP (from the proxy), and protected by the shibboleth SP
derekbelrose
commented
5 years ago I might have hit that from curl to make sure it was up and running.
That would have done it, right? curl http://fcrepo-test.pass.local:8080/
See the latest container log which would not have been used by anyone coming in from the load balancer as it wasn't being routed by the load balancer:
This is at least on
test, have not looked elsewhereSee requests in the log
For example, from the fcrepo logs:
These all seem to be for
/. Any request outside of fedora and the user service will fail with a 500 error, due to a global servlet filter that assumes that it has access to the context of one of these webapps. So the proxy rules should be updated to eliminate the possibility of such requests.