4 Replies Latest reply on Nov 20, 2018 5:46 AM by Marc Kusters

    OData behind reverse NGINX proxy

    Marc Kusters Newbie

      We got the following situation; Our servers use NGINX as a SSL terminating reverse proxy in order to handle our SSL requests. Situation sketch:

      Outside Interwebs 443 -> NGINX -> EAP/Teiid  8080

       

      This works fine when accessing OData using a webbrowser. However when we use applications like Excel and PowerBI we can't get any data since they take the URL inside the odata feed which points to 127.0.0.1:8080.

      Is there a way to solve this that would only affect our OData system.

       

      I found the following blog but I'm unsure on how to proceed and if this will solve my predicament.

      https://medium.com/red6-es/jboss-as7-eap-6-behind-an-ssl-terminating-reverse-proxy-6160a630a741

       

      Example of our OData feed.

      <a:feed xmlns:a="http://www.w3.org/2005/Atom" xmlns:m="http://docs.oasis-open.org/odata/ns/metadata" xmlns:d="http://docs.oasis-open.org/odata/ns/data" m:context="$metadata#*********">
          <a:id>http://127.0.0.1:8080/odata4/>*********</a:id>
          <a:entry>
              <a:id>
      http://127.0.0.1:8080/odata4/*********(emailType='*********',personIdExternal='*********')
              </a:id>
              <a:title/>
              <a:summary/>
              <a:updated>>*********</a:updated>
              <a:author>
                  <a:name/>
              </a:author>
              <a:link rel="edit" href="http://127.0.0.1:8080/odata4/*********(emailType='*********',personIdExternal='*********')"/>
              <a:category scheme="http://docs.oasis-open.org/odata/ns/scheme" term="#*********"/>
              <a:content type="application/xml">
                  <m:properties>
                      <d:emailType>*********</d:emailType>
                      <d:personIdExternal>>*********</d:personIdExternal>
                      <d:createdOn m:type="DateTimeOffset">>*********</d:createdOn>
                      <d:isPrimary m:type="Boolean">>*********</d:isPrimary>
                      <d:createdBy>>*********</d:createdBy>
                      <d:lastModifiedBy>>*********</d:lastModifiedBy>
                      <d:createdDateTime m:type="DateTimeOffset">>*********</d:createdDateTime>
                      <d:emailAddress>>*********</d:emailAddress>
                      <d:lastModifiedOn m:type="DateTimeOffset">>*********</d:lastModifiedOn>
                      <d:lastModifiedDateTime m:type="DateTimeOffset">>*********</d:lastModifiedDateTime>
                  </m:properties>
              </a:content>
          </a:entry>
      </a:feed>
      

       

      Ofcourse http://127.0.0.1:8080 has to be the external URL.

       

      Any help is welcome!

        • 1. Re: OData behind reverse NGINX proxy
          Ramesh Reddy Master

          Checkout Note on "Behind Proxy" in the documentation here OData Version 4.0 Support · GitBook  hopefully that is what you are looking for. 

          • 2. Re: OData behind reverse NGINX proxy
            Marc Kusters Newbie

            I managed to solve it partially. Not totally sure if the whole configuration is necessary:

             <subsystem xmlns="urn:jboss:domain:web:2.2" default-virtual-server="default-host" native="false">
                        <connector name="http" protocol="HTTP/1.1" scheme="https" socket-binding="http" proxy-name="dns name of webservice" proxy-port="443"/>
                        <virtual-server name="default-host" enable-welcome-root="false">
                            <alias name="localhost"/>
                            <alias name="example.com"/>
                            <access-log pattern="%h %l %u %t &quot;%r&quot; %s %b %S %T">
                                <directory path="./"/>
                            </access-log>
                        </virtual-server>
                        <valve name="RemoteIPValve" module="org.jboss.as.web" class-name="org.apache.catalina.valves.RemoteIpValve">
                            <param param-name="remoteIpHeader" param-value="X-Forwarded-For"/>
                            <param param-name="protocolHeaderHttpsValue" param-value="https"/>
                        </valve>
                    </subsystem>
            

             

            At leas the odata part works fine now, just need to fix the webinterface for the management console.

            • 3. Re: OData behind reverse NGINX proxy
              Ramesh Reddy Master

              Can you not do this for single context root? I would need to dig through WildFly docs for any suggestions, but you seem to be right on the way. Keep us updated, I would like to capture this into Teiid documentation.

              • 4. Re: OData behind reverse NGINX proxy
                Marc Kusters Newbie

                We got it working, for the management console no other changes in the configuration where necessary, it was a NGINX configuration thing:

                server {
                    listen      80;
                    server_name otherdnsname.com dns_name_from_previous_post.com;
                    return      301 https://$server_name$request_uri;
                }
                
                
                server {
                
                
                    listen       443 ssl;
                    ssl_certificate /etc/pki/tls/certs/aw5144.crt;
                    ssl_certificate_key /etc/pki/tls/private/aw5144.key;
                
                
                    proxy_set_header    X-Forwarded-For    $remote_addr;
                
                
                    include /etc/nginx/default.d/*.conf;
                
                
                    location / {
                        proxy_pass http://127.0.0.1:8080/;
                    }
                
                
                    location /console/ {
                        proxy_pass http://127.0.0.1:9990/console/;
                    }
                
                
                    location /management/ {
                        proxy_pass http://127.0.0.1:9990/management/;
                    }
                
                
                    location /management {
                        proxy_pass http://127.0.0.1:9990/management;
                    }
                
                
                    location /odata/ {
                        proxy_pass http://127.0.0.1:8080/odata/;
                        proxy_read_timeout 1800s;
                    }
                
                
                    location /odata4/ {
                        proxy_pass http://127.0.0.1:8080/odata4/;
                        proxy_read_timeout 1800s;
                    }
                
                
                    error_page 404 /404.html;
                        location = /40x.html {
                    }
                
                
                    error_page 500 502 503 504 /50x.html;
                        location = /50x.html {
                    }
                
                
                }