Uploaded image for project: 'OpenAM Agents'
  1. OpenAM Agents
  2. AMAGENTS-2210

ProxyPass configuration example corrections

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.6.0.0, 5.5.0.0
    • Fix Version/s: 5.6.0.0, 5.5.1.1
    • Component/s: Doc
    • Labels:
    • Story Points:
      2
    • Sprint:
      2019.2 - AM Docs - Hmm, 2019.2 - AM Docs - Harry
    • Epic Link:

      Description

       The proxypass config in docs has some issues:
      https://backstage.forgerock.com/docs/openam-web-policy-agents/5.5/web-agents-guide/#proc-configure-reverse-proxy

      Proxy ConfigRequestHeader set X-Forwarded-Proto "https" ProxyPass "/openam/notifications" "ws://openam.example.com:8080/openam/notifications" Upgrade=websocket 
      ProxyPass "/openam" "http://openam.example.com:8080/openam" ProxyPassReverseCookieDomain "openam.internal.example.com" "proxy.example.com" ProxyPassReverse "/openam" "http://openam.example.com:8080/openam"

      Upgrade=websocket will cause problems outside a <virtualhost> context. Apache will fail to start.

      Dec 05 16:30:56 6004.fr.local systemd[1]: Starting The Apache HTTP Server...
      Dec 05 16:30:56 6004.fr.local httpd[4934]: AH00526: Syntax error on line 357 of /etc/httpd/conf/httpd.conf:
      Dec 05 16:30:56 6004.fr.local httpd[4934]: ProxyPass unknown Worker parameter

      We also don't need it there as wstunnel does it itself:

      https://httpd.apache.org/docs/trunk/mod/mod_proxy_wstunnel.html

       

      This module requires the service of mod_proxy. It provides support for the tunnelling of web socket connections to a backend websockets server. The connection is automatically upgraded to a websocket connection:

       

      In fact the module can be used to upgrade to other protocols, you can set the upgrade parameter in the ProxyPass directive to allow the module to accept other protocol. NONE means you bypass the check for the header but still upgrade to WebSocket. ANY means that Upgrade will read in the request headers and use in the response Upgrade

       

      https://github.com/apache/httpd/blob/trunk/modules/proxy/mod_proxy_wstunnel.c#L320

      proxyws_dir_conf *dconf = ap_get_module_config(r->per_dir_config, &proxy_wstunnel_module); 
      const char *upgrade_method = *worker->s->upgrade ? worker->s->upgrade : "WebSocket";

       

        Attachments

          Activity

            People

            • Assignee:
              cristina.herraz Cristina Herraz
              Reporter:
              jeremy.cocks Jeremy Cocks
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: