search

khrt / Raisin

Raisin - a REST API micro framework for Perl 🐫 🐪
61 stars 29 forks source link

Reverse proxy not done correctly #104

Open djzort opened 4 years ago

djzort commented 4 years ago

The changes in #101 are not what you want

People should just use

https://metacpan.org/pod/Plack::Middleware::ReverseProxy

Which covers of all the variables

hidden-primary-net commented 4 years ago

Hello @djzort, thanks for your hint, I'll have another look at it.

hidden-primary-net commented 4 years ago

Hi @djzort, what is your proposal? The swagger spec part is created once, I do not see how a middleware could kick in here.

djzort commented 4 years ago

Possibly P::M::ReverseProxy wont do it at this moment, but along those lines my concern is that reverse proxy variables are notoriously non standard (hence the X). Although there is actually now a standard in https://tools.ietf.org/html/rfc7239

It would be better to make use of an external module who's purpose is to make sense of reverse proxies, rather than taking on maintaining a solution to the problem in Raisin

hidden-primary-net commented 4 years ago

So you're suggesting to provide the correct values to Raisin? At the moment the plugin takes care, this would require to move the environment handling from the plugins to Raisin itself and to have the plugins configured when needed. Did I get you right?

djzort commented 4 years ago

Ideally it should be handled by Plack::Middleware if thats what you mean, since its a protocol mutator

khrt commented 4 years ago

@hidden-primary-net, I'd like to try to reproduce your problem to see how it can be solved with Plack middlewares.

To do that would you mind telling me what software do you use for proxying, and if it is configured a some special way? Would you mind helping with this?

hidden-primary-net commented 4 years ago

Hi @khrt, we have the swagger service running in a plack process bound to localhost. An apache reverse proxy in front does the TLS termination. It's not too magical:

<VirtualHost *:443>
  ServerName ...

  ## Vhost docroot
  DocumentRoot ...

  <Location "/swagger/x/">
    Require valid-user
    AuthType basic
    AuthName "Restricted area"
    AuthBasicProvider file
    AuthUserFile ...
      ## Request Header rules
            RequestHeader set X-BSS ...
  </Location>

  ## Logging
  ErrorLog ...
  CustomLog ...
  ServerSignature Off

  ## Proxy rules
  ProxyRequests Off
  ProxyPreserveHost Off
  ProxyPass /probe !
  ProxyPassReverse /probe !
  ProxyPass /swagger/x/ http://localhost:30180/
  ProxyPassReverse /swagger/x/ http://localhost:30180/

  ## SSL directives
  SSLEngine on
  SSLCertificateFile ...
  SSLCertificateKeyFile ...
  SSLProtocol ...
  SSLCipherSuite ...
  SSLVerifyClient ...

  ## Custom fragment
  ProxyTimeout 180
</VirtualHost>

What bit me was that initially calling http://localhost:30180/swagger initializes the spec info for the live of the process with the localhost data. We also want to use a swagger-ui that relies on the information from the swagger file, they need to be correct.