[SOLVED] OTRS 6, Reverse Proxy, SSL offload

Moderator: crythias

Locked
netjess
Znuny expert
Posts: 172
Joined: 16 Nov 2011, 23:35
Znuny Version: 6.0.16
Real Name: Jesse
Company: Mercer Valve Company
Location: Oklahoma USA
Contact:

[SOLVED] OTRS 6, Reverse Proxy, SSL offload

Post by netjess »

Greetings Otters,

I just finished OTRS upgrade from 5 to 6. But I have my system behind a reverse proxy that also handles SSL.
I have always had a little issue about a page error that wanted to reload the page as you navigate tickets but since the upgrade it is worse.
It only seems to happen if I use https.
It throws a message that "OTRS has detected possible network issues" and says to reload the page or wait till the browser establishes connection on it's own. If I wait just a bit I get a new message that states "the connection has been re-established after a temporary connection loss. Due to this elements on this page could have stopped working correctly" it goes on to say that you need to reload the page. But it just keeps cycling through these message in a flapping error.

Is there a standard or suggested reverse proxy setup specified for OTRS? My setup almost works, I can login and navigate tickets but with a lot of interruption from connection error messages.

Here is what my current r-proxy vhost file looks like:

Code: Select all

<VirtualHost *:443>
ServerName help.mydomain.com
ServerAlias help.mydomain.net
  ServerAdmin it@mydomain.com
  ErrorLog /var/log/apache2/proxiedhosts-ssl_error.log
  # Possible values include: debug, info, notice, warn, error, crit,
  # alert, emerg.
  LogLevel info
  CustomLog /var/log/apache2/access-ssl.log combined
ProxyRequests off
<Location /otrs>
 ProxyPass http://helpdesk.mydomain.local/otrs/
 ProxyPassReverse http://helpdesk.mydomain.local/otrs/
</Location>
<Location /otrs-web>
 ProxyPass http://helpdesk.mydomain.local/otrs-web/
 ProxyPassReverse http://helpdesk.mydomain.local/otrs-web/
</Location>
# Use mod_proxy_html to rewrite URLs
  SetOutputFilter proxy-html
# commented out
#  ProxyHTMLURLMap http://helpdesk.mydomain.local/ https://help.mydomain.com/
#  ProxyHTMLURLMap http://helpdesk.mydomain.local/otrs/ https://help.mydomain.com/otrs/
#  ProxyHTMLURLMap http://helpdesk.mydomain.local/otrs-web/ https://help.mydomain.com/otrs-web/
# Disable compressed communication between Apache and target server
  RequestHeader unset  Accept-Encoding
  #   SSL Engine Switch:
  #   Enable/Disable SSL for this virtual host.
  SSLEngine on
  # Allows the proxying of an SSL connection
  SSLProxyEngine On
  # certificate
  SSLCertificateFile    /etc/ssl/certs/help.mydomain.com/help.mydomain.com.crt
  SSLCertificateKeyFile /etc/ssl/private/SHA2_mydomain.key
</VirtualHost>

Thank you.
Last edited by netjess on 05 Mar 2019, 00:29, edited 1 time in total.
Powered by OTRS 6
Active Directory LDAP Integration.
Ubuntu 18 LTS, Apache2, PostgreSQL.
root
Administrator
Posts: 4281
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: OTRS 6, Reverse Proxy, SSL offload

Post by root »

Hi,

Did you tried to ProxyPass to a https backend? This would be my first try. Figuring out a proper reverse proxy setup could be very difficult and could also depend from your SSL termination product.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
netjess
Znuny expert
Posts: 172
Joined: 16 Nov 2011, 23:35
Znuny Version: 6.0.16
Real Name: Jesse
Company: Mercer Valve Company
Location: Oklahoma USA
Contact:

Re: OTRS 6, Reverse Proxy, SSL offload

Post by netjess »

I have not called https to backend. My RP is Ubuntu 18, Apache2. It proxies 6 other sites and no issue on those. It seems to be something particular to how OTRS handles the proxied connection. Maybe how it handles sessions and refreshing?

One of the other sites that uses the proxy is a Moodle server, it has a setting built into it that you have to specify if it is behind a proxy. Is there anything like that in OTRS? I am very surprised that there isn't more information about a supported configuration for this common method of exposure to the Internet.
Also, something changed behavior in upgrade from 5 to 6. Behavior changed and worsened after upgrade.

I will look into making the back call as https but that means I lose the ssl offload.
Thank you.
Powered by OTRS 6
Active Directory LDAP Integration.
Ubuntu 18 LTS, Apache2, PostgreSQL.
netjess
Znuny expert
Posts: 172
Joined: 16 Nov 2011, 23:35
Znuny Version: 6.0.16
Real Name: Jesse
Company: Mercer Valve Company
Location: Oklahoma USA
Contact:

Re: OTRS 6, Reverse Proxy, SSL offload

Post by netjess »

Hello,

Any idea why it is adding a bunch of additional slash marks to URL?
like this.
/otrs////////////index.pl?
Powered by OTRS 6
Active Directory LDAP Integration.
Ubuntu 18 LTS, Apache2, PostgreSQL.
netjess
Znuny expert
Posts: 172
Joined: 16 Nov 2011, 23:35
Znuny Version: 6.0.16
Real Name: Jesse
Company: Mercer Valve Company
Location: Oklahoma USA
Contact:

Re: OTRS 6, Reverse Proxy, SSL offload

Post by netjess »

Good Morning Folks,
Hoping someone can help me get this worked out.
I am looking at the access logs on my OTRS host and I am seeing entries like this:
127.0.1.1:80 10.20.187.105 - - [28/Feb/2019:15:22:31 +0000] "GET /otrs/otrs-web/js/js-cache/ModuleJS_8aa8f619f61cc3a33d44640b0dff1667.js HTTP/1.1" 404 576 "https://help.mydomain.com/otrs/index.pl ... tDashboard" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36"

The fact that it is responding "https://help.mydomain.com/otrs/index.pl?Action=" concerns me. All the requests coming in from the proxy are http://servername.local why would it respond with https and Internet FQDN.
There is a FQDN setting in OTRS but supposedly it is only used to create links in messaging.

Thanks for any assistance.
Powered by OTRS 6
Active Directory LDAP Integration.
Ubuntu 18 LTS, Apache2, PostgreSQL.
netjess
Znuny expert
Posts: 172
Joined: 16 Nov 2011, 23:35
Znuny Version: 6.0.16
Real Name: Jesse
Company: Mercer Valve Company
Location: Oklahoma USA
Contact:

Re: OTRS 6, Reverse Proxy, SSL offload

Post by netjess »

netjess wrote: 28 Feb 2019, 17:40 Good Morning Folks,
Hoping someone can help me get this worked out.
I am looking at the access logs on my OTRS host and I am seeing entries like this:
127.0.1.1:80 10.20.187.105 - - [28/Feb/2019:15:22:31 +0000] "GET /otrs/otrs-web/js/js-cache/ModuleJS_8aa8f619f61cc3a33d44640b0dff1667.js HTTP/1.1" 404 576 "https://help.mydomain.com/otrs/index.pl ... tDashboard" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36"

The fact that it is responding "https://help.mydomain.com/otrs/index.pl?Action=" concerns me. All the requests coming in from the proxy are http://servername.local why would it respond with https and Internet FQDN.
There is a FQDN setting in OTRS but supposedly it is only used to create links in messaging.

Thanks for any assistance.
I was misreading the log entry. the reference to the outside server is just the original request in the header passed to the proxy and has nothing to do with a response from the internal OTRS server.
Powered by OTRS 6
Active Directory LDAP Integration.
Ubuntu 18 LTS, Apache2, PostgreSQL.
netjess
Znuny expert
Posts: 172
Joined: 16 Nov 2011, 23:35
Znuny Version: 6.0.16
Real Name: Jesse
Company: Mercer Valve Company
Location: Oklahoma USA
Contact:

Re: OTRS 6, Reverse Proxy, SSL offload

Post by netjess »

Update, I spoke with someone from OTRS sales (checking on per incident support) and told them about the lack of documentation on OTRS behind a proxy. They said they were about to go into a meeting where they would raise the issue.
There is a statement that says it is supported but no documentation on specific requirements to set up properly.

There must be such specific requirements because I have no issue if I use a direct URL, only if I go through the proxy.
It does not matter if I use http or https.
Powered by OTRS 6
Active Directory LDAP Integration.
Ubuntu 18 LTS, Apache2, PostgreSQL.
root
Administrator
Posts: 4281
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: OTRS 6, Reverse Proxy, SSL offload

Post by root »

Hi,

Did you tried to use / as the location instead of /otrs and /otrs-web ? Or is this the main reason for the RP to push multiple apps behind one VirtualHost?

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
netjess
Znuny expert
Posts: 172
Joined: 16 Nov 2011, 23:35
Znuny Version: 6.0.16
Real Name: Jesse
Company: Mercer Valve Company
Location: Oklahoma USA
Contact:

Re: OTRS 6, Reverse Proxy, SSL offload

Post by netjess »

root wrote: 04 Mar 2019, 20:55 Hi,

Did you tried to use / as the location instead of /otrs and /otrs-web ? Or is this the main reason for the RP to push multiple apps behind one VirtualHost?

- Roy
Hello,
A lot of that was to try and fix it. I have gone back to a simpler vhost. I am not getting the additional slashes but I am still having the issue with the page wanting to constantly reload as I navigate, especially in tickets.
Thanks,
Here is my current vhost file.

Code: Select all

# OTRS Helpdesk
<VirtualHost *:443>
ServerName help.mydomain.com
ServerAlias help.mydomain.net
  ServerAdmin it@mydomain.net
  ErrorLog /var/log/apache2/proxiedhosts-ssl_error.log
  # Possible values include: debug, info, notice, warn, error, crit,
  # alert, emerg.
  LogLevel info
  CustomLog /var/log/apache2/access-ssl.log combined
ProxyRequests off
ProxyPass / http://help.mydomain.local/
ProxyPassReverse / http://help.mydomain.local/
ProxyHTMLURLMap http://help.mydomain.local /
ProxyHTMLEnable On
RequestHeader   unset   Accept-Encoding
 # Use mod_proxy_html to rewrite URLs
SetOutputFilter proxy-html
# Disable compressed communication between Apache and target server
RequestHeader unset  Accept-Encoding
  #   SSL Engine Switch:
  #   Enable/Disable SSL for this virtual host.
SSLEngine on
  # Allows the proxying of an SSL connection
SSLProxyEngine On
SSLCertificateFile    /etc/ssl/certs/help.mydomain.com/help.mydomain.com.crt
SSLCertificateKeyFile /etc/ssl/private/SHA2_mydomain.key
</VirtualHost>
Powered by OTRS 6
Active Directory LDAP Integration.
Ubuntu 18 LTS, Apache2, PostgreSQL.
root
Administrator
Posts: 4281
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: OTRS 6, Reverse Proxy, SSL offload

Post by root »

Hi,

I tried to reproduce it but it works so far without any problem or error message.
That's all what I used inside of a VirtualHost

Code: Select all

ProxyRequests off
SSLProxyEngine On
ProxyPass / https://xx/
ProxyPassReverse / https://xx/
Any hint how to enforce your issue?

-Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
netjess
Znuny expert
Posts: 172
Joined: 16 Nov 2011, 23:35
Znuny Version: 6.0.16
Real Name: Jesse
Company: Mercer Valve Company
Location: Oklahoma USA
Contact:

Re: OTRS 6, Reverse Proxy, SSL offload

Post by netjess »

I have not tried to reproduce this in some other environment.
The setup is this:
Internet <> firewall <> Proxy <> firewall <> OTRS

firewall has ports 80 and 443 open between proxy and OTRS and 80 and 443 open between proxy and Internet.
I don't think anything else is required.

Other than:
ProxyHTMLURLMap http://help.mydomain.local /
ProxyHTMLEnable On
RequestHeader unset Accept-Encoding
SetOutputFilter proxy-html

my vhost and yours is the same excepting for comments and details required.

I will try the vhost without those options and see how it goes.

Thank you for you response.
Powered by OTRS 6
Active Directory LDAP Integration.
Ubuntu 18 LTS, Apache2, PostgreSQL.
netjess
Znuny expert
Posts: 172
Joined: 16 Nov 2011, 23:35
Znuny Version: 6.0.16
Real Name: Jesse
Company: Mercer Valve Company
Location: Oklahoma USA
Contact:

Re: OTRS 6, Reverse Proxy, SSL offload

Post by netjess »

root wrote: 04 Mar 2019, 22:28 Hi,

I tried to reproduce it but it works so far without any problem or error message.
That's all what I used inside of a VirtualHost

Code: Select all

ProxyRequests off
SSLProxyEngine On
ProxyPass / https://xx/
ProxyPassReverse / https://xx/
Any hint how to enforce your issue?

-Roy
Hello,
Well removing those options seems to have fixed the issue. Reading the apache page I am not clear why it broke them but it does somehow.
Thanks so much for your assistance.

Here is my current vhosts for 443 and 80.

Code: Select all

<VirtualHost *:443>
ServerName help.mydomain.com
ServerAlias help.mydomain.net
  ServerAdmin it@mydomain.net
  ErrorLog /var/log/apache2/proxiedhosts-ssl_error.log
  LogLevel info
  CustomLog /var/log/apache2/access-ssl.log combined
ProxyRequests off
ProxyPass / http://help.mydomain.local/
ProxyPassReverse / http://help.mydomain.local/
SSLEngine on
SSLCertificateFile    /etc/ssl/certs/help.mydomain.NET/help.mydomain.NET.crt
SSLCertificateKeyFile /etc/ssl/private/SHA2_mydomain.key
</VirtualHost>

<VirtualHost *:80>
ServerAdmin it@mydomain.net
ErrorLog /var/log/apache2/reverseproxy_error.log
  LogLevel info
  CustomLog /var/log/apache2/access.log combined
ServerName help.mydomain.com
ServerAlias help.mydomain.net
ProxyRequests off
ProxyPass / http://help.mydomain.local/
ProxyPassReverse / http://help.mydomain.local/
</VirtualHost>
Powered by OTRS 6
Active Directory LDAP Integration.
Ubuntu 18 LTS, Apache2, PostgreSQL.
root
Administrator
Posts: 4281
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: [SOLVED] OTRS 6, Reverse Proxy, SSL offload

Post by root »

Hi,

Great to hear that it's solved. During the year I learned that ProxyHTMLURLMap is not the best option and should only be used if the HTML contains the wrong hostname. Most applications nowadays just work with / or a path and there's no need for content manipulation.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
Locked