When using a reverse proxy for SSL termination, gold generates wrong resource URLs

[reederz]

Instead of exposing gold directly to the internet, I want to use NGINX to terminate my SSL connections. The problem is, that when I proxy requests to gold, it thinks that I requested a resource through HTTP and generates wrong resource URLs.

Command to start go server:

go run ~/gopath/src/github.com/linkeddata/gold/server/*.go -http=":8080" -insecure=true -root=/root/jolocom-test-data/ldpc-justas

Nginx host:

server {
        listen 443;
        server_name gold.jolocom.com;

        root html;
        index index.html index.htm;

        ssl on;
        ssl_certificate /etc/nginx/ssl/nginx.crt;
        ssl_certificate_key /etc/nginx/ssl/nginx.key;

        ssl_session_timeout 5m;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
        ssl_prefer_server_ciphers on;

        location / {
                proxy_pass         http://localhost:8080/;
                proxy_redirect     off;
                proxy_set_header   Host             $host;
                proxy_set_header   X-Real-IP        $remote_addr;
                proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
        }
}

Querying a resource (notice http instead of https in subjects):

[  4:39PM ]  [ justas@choedankal:~ ]
 $ curl -k -i -H "Accept: application/n-triples" https://gold.jolocom.com/people/justas  
HTTP/1.1 200 OK
Server: nginx/1.4.6 (Ubuntu)
Date: Mon, 27 Apr 2015 14:39:34 GMT
Content-Type: application/n-triples
Transfer-Encoding: chunked
Connection: keep-alive
Accept-Patch: application/json, application/sparql-update
Accept-Post: text/turtle, application/json
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: User, Triples, Location, Link, Vary, Last-Modified, Content-Length
Access-Control-Max-Age: 1728000
Allow: OPTIONS, HEAD, GET, PATCH, POST, PUT, MKCOL, DELETE, COPY, MOVE, LOCK, UNLOCK
Etag: "6c15c714783feae55bea5502670c1a91"
Link: <http://gold.jolocom.com/people/justas/,acl>; rel="acl", <http://gold.jolocom.com/people/justas/,meta>; rel="meta"
Link: <http://www.w3.org/ns/ldp#BasicContainer>; rel="type"
Link: <http://www.w3.org/ns/ldp#Resource>; rel="type"
Link: <http://gold.jolocom.com/people/justas/,meta>; rel="meta"
Ms-Author-Via: DAV, SPARQL
Triples: 33
Updates-Via: wss://gold.jolocom.com/
User: 

<http://gold.jolocom.com/people/justas/.acl> <http://www.w3.org/ns/posix/stat#mtime> "1430143653" .
<http://gold.jolocom.com/people/justas/> <http://www.w3.org/ns/ldp#contains> <http://gold.jolocom.com/people/justas/.ttl> .
<http://gold.jolocom.com/people/justas/> <http://www.w3.org/ns/ldp#contains> <http://gold.jolocom.com/people/justas/card> .
<http://gold.jolocom.com/people/justas/> <http://www.w3.org/ns/ldp#contains> <http://gold.jolocom.com/people/justas/card.acl> .
<http://gold.jolocom.com/people/justas/card.ttl> <http://www.w3.org/ns/posix/stat#mtime> "1430143653" .
<http://gold.jolocom.com/people/justas/> <http://www.w3.org/ns/posix/stat#mtime> "1430143653" .
<http://gold.jolocom.com/people/justas/.acl> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://www.w3.org/ns/posix/stat#File> .
<http://gold.jolocom.com/people/justas/> <http://www.w3.org/ns/ldp#contains> <http://gold.jolocom.com/people/justas/.acl> .
<http://gold.jolocom.com/people/justas/.acl.ttl> <http://www.w3.org/ns/posix/stat#size> "455" .
<http://gold.jolocom.com/people/justas/card.ttl> <http://www.w3.org/ns/posix/stat#size> "688" .
<http://gold.jolocom.com/people/justas/> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://www.w3.org/ns/posix/stat#Directory> .
<http://gold.jolocom.com/people/justas/> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://www.w3.org/ns/ldp#BasicContainer> .
<http://gold.jolocom.com/people/justas/.ttl> <http://www.w3.org/ns/posix/stat#size> "332" .
<http://gold.jolocom.com/people/justas/card.acl.ttl> <http://www.w3.org/ns/posix/stat#mtime> "1430143653" .
<http://gold.jolocom.com/people/justas/card.ttl> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://www.w3.org/ns/posix/stat#File> .
<http://gold.jolocom.com/people/justas/> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://www.w3.org/ns/ldp#Container> .
<http://gold.jolocom.com/people/justas/.acl.ttl> <http://www.w3.org/ns/posix/stat#mtime> "1430143653" .
<http://gold.jolocom.com/people/justas/.ttl> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://www.w3.org/ns/posix/stat#File> .
<http://gold.jolocom.com/people/justas/> <http://www.w3.org/ns/ldp#contains> <http://gold.jolocom.com/people/justas/card.ttl> .
<http://gold.jolocom.com/people/justas/> <http://www.w3.org/ns/ldp#contains> <http://gold.jolocom.com/people/justas/.acl.ttl> .
<http://gold.jolocom.com/people/justas/card.acl.ttl> <http://www.w3.org/ns/posix/stat#size> "464" .
<http://gold.jolocom.com/people/justas/card.acl> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://www.w3.org/ns/posix/stat#File> .
<http://gold.jolocom.com/people/justas/card.acl> <http://www.w3.org/ns/posix/stat#size> "65" .
<http://gold.jolocom.com/people/justas/.acl> <http://www.w3.org/ns/posix/stat#size> "61" .
<http://gold.jolocom.com/people/justas/.ttl> <http://www.w3.org/ns/posix/stat#mtime> "1430143653" .
<http://gold.jolocom.com/people/justas/card> <http://www.w3.org/ns/posix/stat#size> "61" .
<http://gold.jolocom.com/people/justas/card.acl> <http://www.w3.org/ns/posix/stat#mtime> "1430143653" .
<http://gold.jolocom.com/people/justas/> <http://www.w3.org/ns/posix/stat#size> "4096" .
<http://gold.jolocom.com/people/justas/.acl.ttl> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://www.w3.org/ns/posix/stat#File> .
<http://gold.jolocom.com/people/justas/card.acl.ttl> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://www.w3.org/ns/posix/stat#File> .
<http://gold.jolocom.com/people/justas/> <http://www.w3.org/ns/ldp#contains> <http://gold.jolocom.com/people/justas/card.acl.ttl> .
<http://gold.jolocom.com/people/justas/card> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://www.w3.org/ns/posix/stat#File> .
<http://gold.jolocom.com/people/justas/card> <http://www.w3.org/ns/posix/stat#mtime> "1430143653" .

[deiu]

Thanks for raising this issue. I'll look into it.

[deiu]

After looking into it, I can say that everything works as expected, since "insercure" means running the server only over http.

[reederz]

Yeah, it makes sense.
I spoke with @bblfish and he said that with reverse proxies, WebID authentication wouldn't work either.

Does it mean that I shouldn't ever use reverse proxies with gold and other similar implementations, if I want full functionality available to me?

[deiu]

What does reverse proxying through nginx gives you that gold doesn't already? :)

[reederz]

We want to package an LDP server with freedombox (http://freedomboxfoundation.org/ ). With freedombox, LDP server would be one of several HTTP servers running, so in order to share the SSL port, we have to use a reverse proxy. Otherwise, we have to put gold on a different port. Also, we'd have to copy the SSL cert in 2 places. Finally, see this thread read-write-web/rww-play#153 (comment) .

Basically, it's not a MUST that gold works with a reverse proxy setup but it causes some inconvenience :)

[deiu]

I see. So the only inconvenience at this point is WebID-TLS. Maybe WebID-RSA can help here, as it is already implemented in gold.

[reederz]

Nice! I'll try it this week

[presbrey]

@reederz your nginx.conf is missing config that folks normally use to instruct nginx upstreams about the termination scheme:

    proxy_set_header X-Forwarded-Proto $scheme;

gold already uses this header to calculate base URIs. Try http://wiki.nginx.org/SSL-Offloader or https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-load-balancing-with-ssl-termination for other common nginx SSL termination configurations.

[reederz]

@presbrey thanks for this- the fix worked.

[timbl]

Re "What does reverse proxying through nginx gives you that gold doesn't already? :)" I know it had a smiley, but I would add a philosophical requirement on anything like gold or ldnode: it must be able to operate as a subset of a smaller system. In node, you tend to get this with running express and invoking different packages on the same server, but with Apache and others you have to let people run their server of choice as the front end. So providing separate config parameters for its external URI space and internal ones is important.

[sandhawke]

@reederz When you say "the fix worked", does that include WebID-TLS client-certs as well?

[melvincarvalho]

I've been looking at HAProxy as a passthrough from port 443 to 8443

https://www.haproxy.com/doc/aloha/7.0/deployment_guides/tls_layouts.html#ssl-tls-passthrough

My early testing indicates that ldnode will request a client certificate in pass through mode

[melvincarvalho]

FYI: this is the config I used:

global
  log 127.0.0.1 local0
  maxconn 4000
  daemon

defaults
  log     global
  mode    http
  option  httplog
  option  dontlognull
  timeout server 5s
  timeout connect 5s
  timeout client 5s
  stats enable
  stats refresh 10s
  stats uri /stats

frontend ft_myapp
 bind :443
 mode tcp
 default_backend bk_myapp

backend bk_myapp
 mode tcp
 server app1 127.0.0.1:8443 check

[reederz]

@sandhawke no, the fix only takes care of correct absolute url generation and it was enough in our case (though eventually, we ended up using pagekite, to route traffic). I haven't tried configuring NGINX to terminate WebID-TLS connections at gold level (which is what I think is needed, to make it work).

[sandhawke]

Thanks @reederz . (Pagekite looks cool)

[tomasklapka]

I was able to WebID-TLS auth into gold running behind nginx proxy with stream ssl preread configuration. See this ServerFault answer
Though, it does not seem to be possible to configure nginx to have another virtual host on the same ip:port (https) proxied to another port than the one configured for ssl preread.

[RubenVerborgh]

Thanks @tomasklapka for pointing to the header-based solution. I will try to implement this in the Node.js server (nodeSolidServer/node-solid-server#519).