4 Replies Latest reply on Nov 20, 2018 5:46 AM by marc.kusters

OData behind reverse NGINX proxy

marc.kusters Nov 15, 2018 7:17 AM

We got the following situation; Our servers use NGINX as a SSL terminating reverse proxy in order to handle our SSL requests. Situation sketch:

Outside Interwebs 443 -> NGINX -> EAP/Teiid 8080

This works fine when accessing OData using a webbrowser. However when we use applications like Excel and PowerBI we can't get any data since they take the URL inside the odata feed which points to 127.0.0.1:8080.

Is there a way to solve this that would only affect our OData system.

I found the following blog but I'm unsure on how to proceed and if this will solve my predicament.

https://medium.com/red6-es/jboss-as7-eap-6-behind-an-ssl-terminating-reverse-proxy-6160a630a741

Example of our OData feed.

<a:feed xmlns:a="http://www.w3.org/2005/Atom" xmlns:m="http://docs.oasis-open.org/odata/ns/metadata" xmlns:d="http://docs.oasis-open.org/odata/ns/data" m:context="$metadata#*********">
    <a:id>http://127.0.0.1:8080/odata4/>*********</a:id>
    <a:entry>
        <a:id>
http://127.0.0.1:8080/odata4/*********(emailType='*********',personIdExternal='*********')
        </a:id>
        <a:title/>
        <a:summary/>
        <a:updated>>*********</a:updated>
        <a:author>
            <a:name/>
        </a:author>
        <a:link rel="edit" href="http://127.0.0.1:8080/odata4/*********(emailType='*********',personIdExternal='*********')"/>
        <a:category scheme="http://docs.oasis-open.org/odata/ns/scheme" term="#*********"/>
        <a:content type="application/xml">
            <m:properties>
                <d:emailType>*********</d:emailType>
                <d:personIdExternal>>*********</d:personIdExternal>
                <d:createdOn m:type="DateTimeOffset">>*********</d:createdOn>
                <d:isPrimary m:type="Boolean">>*********</d:isPrimary>
                <d:createdBy>>*********</d:createdBy>
                <d:lastModifiedBy>>*********</d:lastModifiedBy>
                <d:createdDateTime m:type="DateTimeOffset">>*********</d:createdDateTime>
                <d:emailAddress>>*********</d:emailAddress>
                <d:lastModifiedOn m:type="DateTimeOffset">>*********</d:lastModifiedOn>
                <d:lastModifiedDateTime m:type="DateTimeOffset">>*********</d:lastModifiedDateTime>
            </m:properties>
        </a:content>
    </a:entry>
</a:feed>

Ofcourse http://127.0.0.1:8080 has to be the external URL.

Any help is welcome!

1. Re: OData behind reverse NGINX proxy

rareddy Nov 15, 2018 12:24 PM (in response to marc.kusters)

Checkout Note on "Behind Proxy" in the documentation here OData Version 4.0 Support · GitBook hopefully that is what you are looking for.
Actions

2. Re: OData behind reverse NGINX proxy

marc.kusters Nov 19, 2018 10:04 AM (in response to rareddy)

I managed to solve it partially. Not totally sure if the whole configuration is necessary:

 <subsystem xmlns="urn:jboss:domain:web:2.2" default-virtual-server="default-host" native="false">
            <connector name="http" protocol="HTTP/1.1" scheme="https" socket-binding="http" proxy-name="dns name of webservice" proxy-port="443"/>
            <virtual-server name="default-host" enable-welcome-root="false">
                <alias name="localhost"/>
                <alias name="example.com"/>
                <access-log pattern="%h %l %u %t &quot;%r&quot; %s %b %S %T">
                    <directory path="./"/>
                </access-log>
            </virtual-server>
            <valve name="RemoteIPValve" module="org.jboss.as.web" class-name="org.apache.catalina.valves.RemoteIpValve">
                <param param-name="remoteIpHeader" param-value="X-Forwarded-For"/>
                <param param-name="protocolHeaderHttpsValue" param-value="https"/>
            </valve>
        </subsystem>

At leas the odata part works fine now, just need to fix the webinterface for the management console.

3. Re: OData behind reverse NGINX proxy

rareddy Nov 19, 2018 5:38 PM (in response to marc.kusters)

Can you not do this for single context root? I would need to dig through WildFly docs for any suggestions, but you seem to be right on the way. Keep us updated, I would like to capture this into Teiid documentation.
Actions

4. Re: OData behind reverse NGINX proxy

marc.kusters Nov 20, 2018 5:46 AM (in response to rareddy)

We got it working, for the management console no other changes in the configuration where necessary, it was a NGINX configuration thing:

server {
    listen      80;
    server_name otherdnsname.com dns_name_from_previous_post.com;
    return      301 https://$server_name$request_uri;
}


server {


    listen       443 ssl;
    ssl_certificate /etc/pki/tls/certs/aw5144.crt;
    ssl_certificate_key /etc/pki/tls/private/aw5144.key;


    proxy_set_header    X-Forwarded-For    $remote_addr;


    include /etc/nginx/default.d/*.conf;


    location / {
        proxy_pass http://127.0.0.1:8080/;
    }


    location /console/ {
        proxy_pass http://127.0.0.1:9990/console/;
    }


    location /management/ {
        proxy_pass http://127.0.0.1:9990/management/;
    }


    location /management {
        proxy_pass http://127.0.0.1:9990/management;
    }


    location /odata/ {
        proxy_pass http://127.0.0.1:8080/odata/;
        proxy_read_timeout 1800s;
    }


    location /odata4/ {
        proxy_pass http://127.0.0.1:8080/odata4/;
        proxy_read_timeout 1800s;
    }


    error_page 404 /404.html;
        location = /40x.html {
    }


    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }


}

Go to original post