DSpace 7.6.1 Configuration Issues with Apache HTTPD and SSL Hello everyone,
I’m currently setting up a DSpace 7.6.1 instance for an internally-hosted and accessed metadata database and have encountered several issues that I’m struggling to resolve. Below, I have my relevant config files listed out. But first, I will address the issue I’m encountering. The results of yarn test:rest are exactly what you would expect from a working setup: [dspace@pedsdspace01 dspace-angular-dspace-7.6.1]$ yarn test:rest yarn run v1.22.22 $ ts-node --project ./tsconfig.ts-node.json scripts/test-rest.ts Building production app config Overriding app config with /home/dspace/dspace-angular-dspace-7.6.1/config/config.yml Overriding app config with /home/dspace/dspace-angular-dspace-7.6.1/config/config.prod.yml ...Testing connection to REST API at https://pedsdspace01.research.chop.edu/server/api... (node:2078877) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification. (Use `node --trace-warnings ...` to show where the warning was created) RESPONSE: 200 200 Checking JSON returned for validity... "dspaceVersion" = DSpace 7.6.1 "dspaceUI" = https://pedsdspace01.research.chop.edu "dspaceServer" = https://pedsdspace01.research.chop.edu/server "dspaceServer" property matches UI's "rest" config? true Does "/api" endpoint have HAL links ("_links" section)? true Done in 2.11s. You might have noticed a warning message about NODE_TLS_REJECT_UNAUTHORIZED. That’s because I set NODE_TLS_REJECT_UNAUTHORIZED to 0 in my ~/.bashrc. I was still encountering problems when I would just set NODE_EXTRA_CA_CERTS. These are the environmental variables I have set w/r/t Node in my ~/.bashrc: export NODE_EXTRA_CA_CERTS="/etc/pki/tls/certs/pedsdspace01.research.chop.edu.crt"export NODE_TLS_REJECT_UNAUTHORIZED=0export NODE_OPTIONS="--max-old-space-size=4096" I am trying to test my setup through yarn start:dev. My config details are below, but for now, it should be useful to know that ui.ssl: false and rest.ssl: true. When I forward port 4000 to my machine and go to http://localhost:4000, I get DSpace’s 500 page, which, believe it or not, is a huge achievement: [image: image.png] Visiting the URL (which can only be accessed internally) via its URL https://pedsdspace01.research.chop.edu/ does not produce the same thing: [image: image.png] I am told “Invalid Host header.” Nothing really illuminating in the DevTools. The backend works fine. I am totally able to access https://pedsdspace01.research.chop.edu/server/#/server/api and see The HAL Browser: So the issue seems to be with connecting the frontend to the backend. I have valid certifications issued by my IT department: /etc/pki/tls/certs/pedsdspace01.research.chop.edu.crt /etc/pki/tls/private/pedsdspace01.research.chop.edu.pem Environment Setup - *Backend*: DSpace REST API running on Tomcat with HTTP on port 8080 and AJP on port 8009. - *Frontend*: DSpace Angular UI running on Node.js with HTTP on port 4000. - *Proxy*: Apache HTTPD acting as a reverse proxy, handling SSL termination and forwarding requests to Tomcat and the Angular UI. Configuration Files *1. config.dev.yml* ui: ssl: false host: localhost port: 4000 nameSpace: / rateLimiter: windowMs: 60000 max: 500 useProxies: true rest: ssl: true host: pedsdspace01.research.chop.edu port: 443 nameSpace: /server *2. config.prod.yml* ui: ssl: false host: pedsdspace01.research.chop.edu port: 443 nameSpace: / basePath: / rateLimiter: windowMs: 60000 max: 500 useProxies: true rest: ssl: true host: pedsdspace01.research.chop.edu port: 443 nameSpace: /server *3. local.cfg* dspace.ui.url = https://pedsdspace01.research.chop.edu dspace.server.url = https://pedsdspace01.research.chop.edu/server solr.server = http://localhost:8983/solr db.url = jdbc:postgresql://localhost:5432/dspace db.driver = org.postgresql.Driver db.dialect = org.hibernate.dialect.PostgreSQL94Dialect db.username = dspace db.password = dspace db.schema = public *4. server.xml* <Connector port="8080" minSpareThreads="25" enableLookups="false" redirectPort="8443" connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8"/> <Connector protocol="AJP/1.3" port="8009" redirectPort="8443" URIEncoding="UTF-8" secretRequired="false" /> Here, I inserted secretRequired because I noticed the same type of error in my catalina.err file as in this StackOverflow post <https://stackoverflow.com/questions/60501470/the-ajp-connector-is-configured-with-secretrequired-true-but-the-secret-attrib> . *6. ssl.conf* Listen 443 https <VirtualHost *:443> ServerName pedsdspace01.research.chop.edu # Add your desired log settings LogLevel trace6 ErrorLog /var/log/httpd/pedsdspace01.research.chop.edu.error.log CustomLog /var/log/httpd/pedsdspace01.research.chop.edu.access.log combined # SSL logging for requests CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" # Ensure the correct headers and host settings ProxyPreserveHost On RequestHeader set X-Forwarded-Proto https # SSL Configuration SSLEngine on SSLCertificateFile /etc/pki/tls/certs/pedsdspace01.research.chop.edu.crt SSLCertificateKeyFile /etc/pki/tls/private/pedsdspace01.research.chop.edu.pem # Proxy requests to the Tomcat server (backend) ProxyPass /server ajp://localhost:8009/server ProxyPassReverse /server ajp://localhost:8009/server # Proxy requests to the Angular UI server (frontend) ProxyPass / http://localhost:4000/ ProxyPassReverse / http://localhost:4000/ </VirtualHost> -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/CAAyrjvuMTr3QpBjkfCEEi9frRWuH8a-uq-kaTh-Q_tp6Q10z%2BQ%40mail.gmail.com.