Web Interface Login button/POST "http" while all other links "https"

[bushong1]

Whenever I try to login to my geoserver with a browser, it is failing to connect. I believe i've tracked it down to the fact that the login url is being presented to the client as HTTP, which is strange because all other URLs on the site are HTTPS as i expect, but not Login.

My system is setup behind a Load Balancer which handles certs/TLS termination, and then proxies requests to the docker container. There's no expectation that the docker container will get an HTTPS request, or that letsencrypt will run or anything. This seems to be fine for all web interface links except Login.

Is there an environment variable I can configure to tell the Login button to use https:// without requiring the whole container to have self-managed certs? Is this a bug with geoserver?

[NyakudyaA]

@bushong1 If you look at the proxy base URL what is it set to. Maybe you need to define the following env variables https://github.com/kartoza/docker-geoserver#proxy-base-url

[bushong1]

@NyakudyaA thanks for the suggestion, but i've had no luck. For testing purposes i set:

HTTP_PROXY_NAME: foobarbaz
HTTP_PROXY_PORT: 443

With the expectation that the form submission link would be generated with the url: https://foobarbaz:443/geoserver/[...], despite it being a non-SSL geoserver. But... the form is still be generated as http.

Popping open browser inspect:
<form style="display: inline-block;" method="post" action="http://foobarbaz:443/geoserver/j_spring_security_check">
The submission is still http even though the domain and port are properly configured... I tried setting HTTPS_PROXY_* but had the same result.

For most links that are improperly generated, it's not a big deal because we have a 301 redirect from 80->443, but POSTs don't honor redirects by design. Any other ideas?

[NyakudyaA]

Maybe you need to set the https proxy env. Do you have an example of a docker-compose you using or helm chart

[pedroetb]

I'm facing same issue using 2.19.2.

I tried to include protocol at HTTP_PROXY_NAME (like https://geoserver.example.com), but a http:// is always added at the beginning (e.g. http://https//geoserver.example.com).

Setting HTTPS_PROXY_* doesn't help here, they are only applying when using SSL and are useless when running behind reverse proxy.

[NyakudyaA]

I'm facing same issue using 2.19.2.

I tried to include protocol at HTTP_PROXY_NAME (like https://geoserver.example.com), but a http:// is always added at the beginning (e.g. http://https//geoserver.example.com).

Setting HTTPS_PROXY_* doesn't help here, they are only applying when using SSL and are useless when running behind reverse proxy.

Can you please share a docker-compose to replicate

[pedroetb]

When using 2.18.2 is working fine, generating a valid URL for login POST request (with https protocol). Now I'm able to login again, with 2.19.2 the mixed http/https content was breaking it.

I have no easy to use docker-compose example, because it needs Traefik reverse-proxy and I'm using a clustered environment, but these are the used environment variables for primary instance:

BROKER_URL: tcp://0.0.0.0:61616
CLUSTER_DURABILITY: true
CLUSTERING: true
COMMUNITY_EXTENSIONS: jms-cluster-plugin
EMBEDDED_BROKER: enabled
FOOTPRINTS_DATA_DIR: /opt/footprints_dir
GEOSERVER_ADMIN_PASSWORD: changeme
GEOSERVER_ADMIN_USER: admin
GEOSERVER_DATA_DIR: /opt/geoserver/data_dir
GEOSERVER_NODE_OPTS: id:{{.Service.Name}}-{{.Task.Slot}};background:black;color:white
GEOWEBCACHE_CACHE_DIR: /opt/geoserver/gwc
HTTP_PORT: 8080
INITIAL_MEMORY: 1G
INSTANCE_STRING: {{.Service.Name}}-{{.Task.Slot}}
MAXIMUM_MEMORY: 2G
RANDOMSTRING: {{.Service.Name}}-{{.Task.Slot}}
READONLY: disabled
STABLE_EXTENSIONS: css-plugin,inspire-plugin,csw-plugin,netcdf-plugin,netcdf-out-plugin,ysld-plugin
TOGGLE_MASTER: true
TOGGLE_SLAVE: false
TOMCAT_EXTRAS: false
WEB_INTERFACE: false

[pedroetb]

Using the new feature for getting config files from /settings, got it working adding these lines to web.xml:

<context-param>
   <param-name>PROXY_BASE_URL</param-name>
   <param-value>https://geoserver.example.com/geoserver</param-value>
</context-param>

Tried using HTTP_PROXY_NAME instead of literal value, but doesn't get replaced.

Got the idea from: https://stackoverflow.com/questions/68783126/issue-with-geoserver-login-with-ssl

[pedroetb]

Got it working using:

<context-param>
   <param-name>PROXY_BASE_URL</param-name>
   <param-value>https://${HTTP_PROXY_NAME}/geoserver</param-value>
</context-param>

at /settings/web.xml, and setting in environment CATALINA_OPTS=-DHTTP_PROXY_NAME=${HTTP_PROXY_NAME} (or JAVA_OPTS, both works) and HTTP_PROXY_NAME=geoserver.example.com.

[NyakudyaA]

Got it working using:

<context-param>
   <param-name>PROXY_BASE_URL</param-name>
   <param-value>https://${HTTP_PROXY_NAME}/geoserver</param-value>
</context-param>

at /settings/web.xml, and setting in environment CATALINA_OPTS=-DHTTP_PROXY_NAME=${HTTP_PROXY_NAME} (or JAVA_OPTS, both works) and HTTP_PROXY_NAME=geoserver.example.com.

I have just tested this with the following command

docker run -it --name geoserver  -e PKCS12_PASSWORD=geoserver -e JKS_KEY_PASSWORD=geoserver -e JKS_STORE_PASSWORD=geoserver -e HTTPS_PROXY_NAME=foo.bar.com -e HTTPS_PROXY_PORT=8443 -e SSL=true -p 8443:8443 -p 8600:8080 kartoza/geoserver:2.19.2

Everything works as expected and in a combination with manually setting the proxy_base URL in web.xml and mounting it, I think this is sufficient enough to close this issue @bushong1 cc @pedroetb

[pedroetb]

Ok, but I prefer not enabling SSL at geoserver side (not needed for my use case). Using the web.xml setting is enough for me.

Thanks!

[bushong1]

@NyakudyaA I also prefer not enabling SSL at the Geoserver side. I'll give the web.xml part a shot.

[NyakudyaA]

This is simply fixed by adding the env variables if you are terminating SSL

HTTP_SCHEME=https
HTTP_PROXY_NAME=foo.org

[lacardonap]

Thank you very much for your contributions, in my case I solved it this way:

docker run -it --name geoserver -v /etc/certs:/etc/certs -e PKCS12_PASSWORD=geoserver -e JKS_KEY_PASSWORD=geoserver -e JKS_STORE_PASSWORD=geoserver -e HTTPS_PROXY_NAME=foo.org -e HTTPS_PROXY_PORT=8443 -e HTTP_SCHEME=https -e HTTP_PROXY_NAME=foo.org -e SSL=true -p 8443:8443 -p 8600:8080 kartoza/geoserver:2.22.0

[pedroetb]

After commit c7dd64d (using v2.23.1), login form was using http protocol again. This commit solve it passing proxy headers with Nginx, but using Traefik you need something like these service labels:

...
traefik.http.middlewares.add-proxy-protocol-header.headers.customrequestheaders.x-forwarded-proto: https
traefik.http.routers.geoserver-master-admin.middlewares: add-proxy-protocol-header
...

[NyakudyaA]

After commit c7dd64d (using v2.23.1), login form was using http protocol again. This commit solve it passing proxy headers with Nginx, but using Traefik you need something like these service labels:

...
traefik.http.middlewares.add-proxy-protocol-header.headers.customrequestheaders.x-forwarded-proto: https
traefik.http.routers.geoserver-master-admin.middlewares: add-proxy-protocol-header
...

Maybe you could propose a PR, where you can add an env variable like

IF [ Traefik ~= TRUE ];then
you commands here
else
default
fi

[pedroetb]

In this case, I think it's not possible, because these settings are for an external service, not used by GeoServer (for Traefik autodiscovery of Docker Swarm services).

[NyakudyaA]

In this case, I think it's not possible, because these settings are for an external service, not used by GeoServer (for Traefik autodiscovery of Docker Swarm services).

Better to add it in the README so that it doesn't get lost in the comment here