1. Home
  2. Portal
  3. RE: Liferay behind Apache reverse proxy working but...

RE: Liferay behind Apache reverse proxy working but...

thumbnail
Fernando Fernandez, modified 5 Years ago.
Liferay behind Apache reverse proxy working but...
Expert Posts: 401 Join Date: 8/22/07 Recent Posts
Hi all,
Apologies for this is not exactly a Liferay problem but it's a doubt on how to correctly setup Liferay behind an apache https reverse proxy.
I've setup a 7.2 DXP behind an apache, for https offloading, and Liferay is simply responding on http://localhost:8080 as default. 
The combination is working well, apparently, but I keep getting some warnings with the external IP address on the liferay log:
WARN  [ajp-nio-8019-exec-9][PortalImpl:1016] Redirect URL [url=https://40.127.180.179/group/cmo/~/control_panel/manage?p_p_id=com_liferay_layout_admin_web_portlet_GroupPagesPortlet&p_p_lifecycle=0&p_p_state=normal&p_p_state_rcv=1&p_p_auth=SQ1tuJ5s]https://40.127.180.179/group/mysite/~/control_panel/manage?p_p_id=com_liferay_layout_admin_web_portlet_GroupPagesPortlet&p_p_lifecycle=0&p_p_state=normal&p_p_state_rcv=1&p_p_auth=SQ1tuJ5s[/url] is not allowed

I would not expect to see messages with the external IP on the Liferay log and this seems to indicate that something is wrong on the reverse proxy conf. 
My proxy conf is very simple:
ProxyRequests On

ProxyPreserveHost On

ProxyPass / ajp://localhost:8009/

ProxyPassReverse / ajp://localhost:8009/

Any ideas why this is happening, and if it's creating some hidden problem?

TIA

Fernando 
thumbnail
Christoph Rabel, modified 5 Years ago.
RE: Liferay behind Apache reverse proxy working but...
Liferay Legend Posts: 1555 Join Date: 9/24/09 Recent Posts
It's a security feature that disallows redirects to unknown urls/ips. You can control it using the following properties.
redirect.url.security.mode= ip or domain
redirect.url.domain.allowed=*domain1.com,www.domain2.com,*.domain3.com
redirect.url.ips.allowed=127.0.0.1,SERVER_IP
I usually set it to domain and add the list of domain names I need to use.
thumbnail
Fernando Fernandez, modified 5 Years ago.
RE: Liferay behind Apache reverse proxy working but...
Expert Posts: 401 Join Date: 8/22/07 Recent Posts
Thanks Christoph , it worked!
I still don't understand how the reverse proxy doesn't convert the external IP to the internal IP but I'll worry about this some other time.
Cheers
Fernando
thumbnail
Christoph Rabel, modified 5 Years ago.
RE: Liferay behind Apache reverse proxy working but...
Liferay Legend Posts: 1555 Join Date: 9/24/09 Recent Posts
The urls created by Liferay are based on the HOST header field in the request. When you enable ProxyPreserveHost, Apache keeps the Host header and does not change it to localhost. That's a wonderful feature since it allows you to use multiple hostnames on the reverse proxy and the server in the backend always knows which one was used.
thumbnail
Fernando Fernandez, modified 5 Years ago.
RE: Liferay behind Apache reverse proxy working but...
Expert Posts: 401 Join Date: 8/22/07 Recent Posts
Thanks Christoph! :-)
thumbnail
David H Nebinger, modified 5 Years ago.
RE: Liferay behind Apache reverse proxy working but...
Liferay Legend Posts: 14933 Join Date: 9/2/06 Recent Posts
Fernando Fernandez:

I still don't understand how the reverse proxy doesn't convert the external IP to the internal IP but I'll worry about this some other time.

That's the nature of AJP; Tomcat gets the connection information that Apache gets and allows Liferay to build correct URLs.
thumbnail
Christoph Rabel, modified 5 Years ago.
RE: Liferay behind Apache reverse proxy working but...
Liferay Legend Posts: 1555 Join Date: 9/24/09 Recent Posts
Fernando Fernandez:

My proxy conf is very simple:
ProxyRequests On
UH. I just noticed. This line is EVIL. With it, your Apache becomes a forward proxy. You do not want that. You should only do that if you really want a forward proxy AND have configured it properly.
thumbnail
Fernando Fernandez, modified 5 Years ago.
RE: Liferay behind Apache reverse proxy working but...
Expert Posts: 401 Join Date: 8/22/07 Recent Posts
Well, I seem to remember that it was necessary many years ago, for the reverse proxy to work, but now I'll check again. Thanks!
Ricardo Franco, modified 5 Years ago.
RE: Liferay behind Apache reverse proxy working but...
New Member Posts: 4 Join Date: 4/10/14 Recent Posts
Thanks for solution! I was having the same problem today and this solved to my problem.
I was upgrading a legacy application from 6.2.0 to 6.2.5 CE (for security reasons) and before I didn't have this issue.
So it's a security enhancement! Makes sense!
What puzzles me a bit is that I see this fix "documented" in threads as old as 2 months, 4 months and 7 years (!!!) - which made me discard the solution at first: https://liferay.dev/forums/-/message_boards/message/16913681
Here it's mentioned as a bug in 6.2.4 CE GA5, 6.2.5 CE GA6:  https://issues.liferay.com/browse/LPS-63461
So it seems to be "feature" since 6.1 all the way to 7.2.
I if this is a well known thing I would expect to see it better documented somewhere.
Anyway, thanks a lot for the solution! It works!
PS: "ProxyRequests On" *is* indeed dangerous: https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxyrequests !