Hi,
you ran in the following bug: https://jira.duraspace.org/browse/DS-2030
DSpace’s session hijacking prevention currently doesn’t support
IPv4/IPv6-Dual-Stack setups.
But this just reveal another problem in your setup: DSpace recognize the remote
IP as either 127.0.0.1 or ::1. This is security relevant as e.g. solr is only
reachable from local loopback IPs and shouldn’t be reachable directly from
other IPs. You should make sure that your nginx sets the appropriate http
headers like X-Forwarded-For and that your container servlet recognizes these
headers. If you use Tomcat as container Servlet you can find information about
proxy setups here:
http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Proxies_Support.
Regards,
Pascal
From: Fitzpatrick, Christopher [mailto:[email protected]]
Sent: Thursday, September 04, 2014 9:49 AM
To: Becker, Pascal-Nicolas; [email protected]
Subject: Re: [Dspace-tech] JSPUI reverse proxy authentication
Hi,
Ah, I think I just fixed it.
Needed to put nginx upstream at the domain name and not localhost, since there
seems to be some IPv4 / IPv6 mismatching going on.
Changed nginx config:
http {
upstream dspace {
server dlib.wmu.se:8080<http://dlib.wmu.se:8080>;
}
...
location /jspui/ {
proxy_pass http://dspace/jspui/;
proxy_redirect http://dspace/jspui/ http://dlib.wmu.se/jspui/;
...
restarted nginx and now everything is sticking.
Thanks!
b,chris.
On 4 September 2014 09:43, Fitzpatrick, Christopher
<[email protected]<mailto:[email protected]>> wrote:
Hi,
Thanks for the response...
Yup, seeing this in the log:
2014-09-04 03:37:59,373 WARN org.dspace.app.webui.util.UIUtil @ POSSIBLE
HIJACKED SESSION: request from 127.0.0.1 does not match original session
address: 0:0:0:0:0:0:0:1. Authentication rejected.
The baseURl is set to dspace.baseUrl = http://dlib.wmu.se ( i've tried with the
port and without the port, same results...) and the url is set to dspace.url =
http://dlib.wmu.se/jspui
thanks again..b,chris.
On 3 September 2014 16:19, Becker, Pascal-Nicolas
<[email protected]<mailto:[email protected]>> wrote:
Hi,
does the dspace.log log file contains any entries like the following one?
2014-MM-DD HH:MM:SS,YYY WARN org.dspace.app.webui.util.UIUtil @ POSSIBLE
HIJACKED SESSION: request from XXX.XXX.XXX.XXX does not match original session
address: XXX.XXX.XXX.XXX. Authentication rejected.
How are the configuration properties dspace.baseUrl and dspace.url set?
Regards,
Pascal Becker
From: Fitzpatrick, Christopher [mailto:[email protected]<mailto:[email protected]>]
Sent: Wednesday, September 03, 2014 9:37 AM
To: [email protected]<mailto:[email protected]>
Subject: [Dspace-tech] JSPUI reverse proxy authentication
Hi All,
I just setup dspace for the first time. We're wanting to use the jspui
interface. I setup nginx as a reverse proxy in front of tomcat, but it seems
that the authentication is not sticking. What I mean by that is I can
authenticate a user, and the page does show that I am logged in ( and I have
access to certain restricted pages). But the user will lose its session after a
couple of minutes or on certain pages.
This is not happening if I access tomcat directly at port 8080, so I think
there's something I'm missing on my nginx conf. ( included below ).
Any ideas? Thanks for the help...b,chris,
location / {
proxy_pass http://dspace;
proxy_next_upstream error timeout invalid_header http_500 http_502
http_503 http_504;
proxy_redirect http://dspace http://dlib.wmu.se;
proxy_buffering off;
proxy_store off;
proxy_connect_timeout 120;
proxy_send_timeout 120;
proxy_read_timeout 120;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
DSpace-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
