Proper configuration for behind a reverse proxy?

RT Users
1

I’m running into problems trying to get RT5 running behind a reverse proxy. I’m running into problems with http requests being generated when they should be https requests. I read through the posts I could find here relating to this problem but still can’t get this working properly.

I connect to RT using an https connection to the rproxy server (apache mod_proxy iirc) that is then redirected to my rt5 server using an http connection. This works for most of the site, but some actions result in an error like this:

Possible cross-site request forgery

RT has detected a possible cross-site request forgery for this request, because the Referrer header supplied by your browser (helpdesk.example.ca:443) is not allowed by RT’s configured hostname (helpdesk.example.ca:80). A malicious attacker may be trying to modify or access a search on your behalf. If you did not initiate this request, then you should alert your security team.

If you really intended to visit http://helpdesk.example.ca/rt5/Search/Build.html and modify or access a search, then click here to resume your request .

My web config entries in RT_Config.pm look like this:

Set($WebDomain, “helpdesk.example.ca”);
Set($WebPort, 80);
Set($WebPath, “/rt5”);

Set($webBaseURL,‘https://helpdesk.example.ca’);
Set($WebURL,‘https://helpdesk.example.ca/rt5/’);

Set($CanonicalizeRedirectURLs, 1);

My rproxy config looks like this:

           # Added for rt4 server
            <Location /rt5/>
                Order allow,deny
                Allow from all
                ProxyPass http://10.90.8.152/rt5/ flushpackets=on
                ProxyPassReverse http://10.90.8.152/rt5/
            </Location>

Can anyone see my mistake?

2

If your reference proxy can look for port 443 on local host can you try just changing the RT port to?:

Set($WebPort, 443);

3

Thanks for the suggestion. I figured it was worth a try, but sadly it produces 404 errors for parts of the page when I do that. The web page output looks like the css file and images didn’t load. Errors like this:

10.90.8.122 - - [20/Oct/2020:15:42:18 -0600] “GET /rt5/NoAuth/Helpers/CustomLogo/f5e44781188a3362653485444cedf5ff HTTP/1.1” 404 - “https://helpdesk.example.ca/rt5/” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/83.0.4103.61 Chrome/83.0.4103.61 Safari/537.36”

I’m using the rt-server method of starting the server for testing. This is the command line I’m using to start it.

sbin/rt-server --port 80 --webpath /rt5 --env development --access-log var/access.log

I added the --port 80 as that’s the port being used by the rpoxy. Not sure if the parameters in RT_Config effect the server behavior or not. Thats with webPort being set to 443.

4

Looks like I may have been mistaken… Seems things are working now! :slight_smile:

I noticed while changing the config back that there was an extra - on the command line of my rt-server --port 80 call; before the --port 80 parameter. Trying again without it seems to work now! :wink: So to recap, my currently confirmed working configuration is as follows:

RT_Config.pm web config parameters:

Set($WebDomain, “helpdesk.example.ca”);
Set($WebPort, 443);
Set($WebPath, “/rt5”);

Set($webBaseURL,‘(https://helpdesk.example.ca/)’);

Set($CanonicalizeRedirectURLs, 1);

My mod_proxy config on the reverse proxy are as follows:

        <Location /rt5/>
            Order allow,deny
            Allow from all
            ProxyPass http://10.90.8.152/rt5/ flushpackets=on
            ProxyPassReverse http://10.90.8.152/rt5/
        </Location>

My rt-server command line is as follows:

sbin/rt-server --port 80 --webpath /rt5 --env development --access-log var/access.log

It’s a little odd and counter intuitive, but seems to be working! :smiley: