Reverse proxy (or NAT) problem

Adam_Thompson · March 7, 2024, 4:08am

I’m setting up RT5.0.4 behind a firewall, and am using HAProxy on the firewall.
As long as I run RT5 as root on port 80, everything seems to work properly, but when I switch to port 8080 (to avoid running as root) I find that RT starts redirecting to : which of course doesn’t work.

The HAProxy part works great, but for reference its config is (lightly redacted):

frontend bsdcan.athompso.net
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl prefer-client-ciphers ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 crt-list /tmp/haproxy/ssl/65e7e651e8d489.80192286.certlist 
    mode http
    option http-keep-alive
    default_backend tickets.bsdcan.org
    option forwardfor
    option httplog
    option socket-stats
backend tickets.bsdcan.org
    mode http
    http-reuse safe
    server tickets.bsdcan.org 172.31.31.200:8080

So far I’ve set in RT_SiteConfig.pm (partial, I haven’t included everything):


Set( $rtname, 'tickets.bsdcan.org');
Set( $Organization, 'tickets.bsdcan.org' );
Set( $WebDomain, 'bsdcan.athompso.net');
Set( $WebPort, '443' );
Set( $WebBaseURL, 'https://bsdcan.athompso.net');
Set( $DevelMode, 1 );
Set( $WebSecureCookies, 0 );
Set( $Timezone, 'US/Eastern' );

RT5 itself is being invoked as uid/gid _rt:_rt, and /var/www/rt/* is all chown’d to _rt:_rt. I’m using the built-in Starlet/Plask HTTP server until I get it all working.

When I hit https://bsdcan.athompso.net/ I get the login page, correctly.
If I provide an incorrect password, I get told that immediately - no problem so far.
But if I login with valid credentials, I get redirected to http://bsdcan.athompso.net:8080 which of course doesn’t work at all.
If I then go back to https://bsdcan.athompso.net/ suddenly I’m logged in!

Any ideas why RT is redirecting to a completely bogus URL that never existed, doesn’t exist, and will never exist?

Again, if I take out WebBaseURL, set WebPort to 80, adjust the HAproxy config, it works 100%. I’m baffled.
Oh, it doesn’t seem to matter what I set WebPort to, nor what I set WebBaseURL to it always redirects to http on port 8080.

Help?
-Adam

sollericos · March 7, 2024, 6:44am

Hi, Adam. Did you set $WebBaseURL, $WebURL and/or $CanonicalizeRedirectURLs?
Check RT Config - RT 5.0.5 Documentation - Best Practical

Adam_Thompson · March 7, 2024, 10:25pm

I had missed the setting to Canonicalize redirects (and feeds, too).
It works now.
Thank you!