Bahmni: Why is ProxyPreserveHost set to On?

Hi team!

It seems that having the ProxyPreserveHost set to On does bring a certain level of complexity in the Apache conf files. I think this could be avoided by keeping it Off and modifying some SSL conf files declarations, but I’d like to know first what are the reasons to set it On in the first place.

(@ramses, @angshuonline, @binduak, @sumanmaity112, @darius, @mksd, @pramidat)

See below is my understanding of how the Apache configuration works and what is the issue with it. This is related to “BAH-409: HTTPS access not working on ‘/openmrs’ page when running on another port than 443”.


Each component in Bahmni is proxied by the Apache server.

For instance, requests to https://bahmni.example.com/openmrs when hitting the Apache layer will be redirected internally to http://localhost:8050/openmrs

See emr_ssl.conf:

#For Bahmni-EMR
ProxyPass /openmrs http://localhost:8050/openmrs
ProxyPassReverse /openmrs http://localhost:8050/openmrs

(Note that also the TLS encryption stops here)

The same applies for each component:

The ProxyPass declaration does the redirection of requests. And by default, the redirected server does not know of the original address at all. For example, from the OpenMRS sever perspective, requests are coming from http://localhost:8050/openmrs.

If the OpenMRS server sends back some redirection URL in the response, it will be to http://localhost:8050/openmrs/… which will fail on the client browser obviously. So we must make sure that it is proxied back to the original address.

This is the role of ProxyPassReverse declaration:

ProxyPassReverse /openmrs http://localhost:8050/openmrs

This way http://localhost:8050/openmrs is correctly translated back to https://bahmni.example.com/openmrs.


The specific case of ProxyPreserveHost On

In the ssl.conf file, the directive ProxyPreserveHost is explicitly set to On

This makes the hostname, say bahmni.example.com, to be kept through the proxies.

ProxyPass /openmrs http://localhost:8050/openmrs

The above will redirect request made to https://bahmni.example.com/openmrs to http://localhost:8050/openmrs BUT it will be advertised to the OpenMRS server as coming from http://bahmni.example.com/openmrs

That means that if the OpenMRS server sends back some redirection URL, it will do with the bahmni.example.com address: http://bahmni.example.com/openmrs

Note that it is HTTP and not HTTPS. https:// is not preserved by the ProxyPreserveHost On. Only the hostname is preserved.

Because the redirection URL is http://bahmni.example.com/openmrs, the ProxyPassReverse declaration will not match and the redirection URL won’t be overwritten back to https://bahmni.example.com/openmrs

As it is now ProxyPassReverse have no effect.

The ProxyPassReverse should be:

ProxyPassReverse /openmrs http://bahmni.example.com/openmrs

in order to work.

That is an issue we don’t witness when running Bahmni on default HTTPS port (443) because browsers will understand that http://bahmni.example.com/openmrs is returning TLS encrypted contents and will switch https:// automatically.

But running Bahmni on an other port than 443 will demonstrate that the redirection URL is indeed http://bahmni.example.com/openmrs and hence the issue described in BAH-409.


Setting ProxyPreserveHost Off?

So we see that having ProxyPreserveHost On requires to hardcode the domain name (without the port number) into all the configuration files.

This is far from optimal because we loose the flexibility of DNS redirections and CNAMEs. And that requires as well to know the domain name right when the server is created.

Q: Why is ProxyPreserveHost set to On again?

3 Likes

@angshuonline , I recall that you have mentioned something about the cookies. ProxyPreserveHost On is useful for Bahmni Reports to share the OpenMRS session cookie (because the cookie applies on the initial domain)

Is that correct?

I see that in Apache proxy conf files, there is the option ProxyPassReverseCookieDomain that could help.

Hi @mksrom We have tried different possibilities keeping ProxyPreserveHost On and Off. Below are few of the important observations

  1. Whether we keep ProxyPreserveHost On/Off, if we have both ProxyPass and ProxyPassReverse are configured in emr_ssl.conf file as @mksrom mentioned, the redirection of URL is happening as expected.

And this is when HTTPS runs on 443 port. So having ProxyPreserveHost On/Off doesn’t have any effect as long as we have ProxyPass and ProxyPassReverse are in place.

  1. But if we want to run https on other than 443 port (eg: 9443 port), the below changes need to be done to ssl.conf file.

Now we can access openmrs with this URL https://demo.mybahmni.org:9443/openmrs. Domain has valid SSL certificates and the redirection of URL is happening properly. But if we set ProxyPreserveHost On the ProxyPassReverse doesn’t have any effect and the redirection of URL is not working.

Conclusion: In either of the above cases having ProxyPreserveHost On has no effect and its complicating the things.

Thanks @sudhamsh for your inputs. please add if I have missed any.

cc/ @mksd @swathivarkala @angshuonline @ramses

2 Likes

@binduak, thanks for investigating this.

I am quite surprised that Bahmni Reports still works after having set {{ProxyPreserveHost Off}} though (due to the cookie issue mentioned earlier in the thread).

Did you try it as well?

I didn’t think of that one.

Because we are running Bahmni in Docker containers, the port is still 443, but there is a mapping between say 9443 (outside of the container) and 443 (in the container). I don’t think that should change anything though.

Hi @mksrom, I have followed the steps mentioned in BAH-659 JIRA card. I see that Bahmni Reports redirection is not working for me when https runs on other than 443 port.

After some more trials I think we could get rid of the ProxyPreserveHost On directive to have a cleaner setup instead.

I have PRed the change: https://github.com/Bahmni/bahmni-playbooks/pull/21