Hello, Based on the information you shared, I believe your "ui" settings in your config.prod.yml may be incorrect.
When using Apache HTTPD as a proxy, typically your config.prod.yml will have UI settings that use "localhost" like this: ui: ssl: false host: localhost port: 400 nameSpace: / The reason is that the User Interface itself should actually be running on http:/localhost:4000/ . That way Apache HTTPD can proxy requests to localhost:4000 whenever someone accesses your site via your public URL. That is configured via these settings (which you already have in your Apache ssl.conf) ProxyPass / http://localhost:4000/ ProxyPassReverse / http://localhost:4000/ NOTE specifically that Apache is trying to proxy requests to http://localhost:4000/. That's correct, but it also means your "ui" settings in your config.prod.yml should run from http://localhost:4000/ in order to* receive those requests via Apache*. Everything else in your configuration looks correct at a glance. The "rest" settings of your config.prod.yml look correct, as they *require* using the full/public URL of the REST API. The backend settings in local.cfg also look correct, and they seem to be proven to work because your "yarn rest:test" command is running successfully. Hopefully it's just the "ui" settings that are wrong in your config.prod.yml and fixing them will solve the problem. If you are still having issues, you may want to look closer at our Troubleshooting Guide <https://wiki.lyrasis.org/display/DSPACE/Troubleshoot+an+error#Troubleshootanerror-DSpace7.xor8.x> to see if you can find more detailed error messages in the UI or in the backend logs, and also review the "Common Installation Issues <https://wiki.lyrasis.org/display/DSDOC7x/Installing+DSpace#InstallingDSpace-CommonInstallationIssues>" section of Install Guide to see if you are seeing any of the errors listed there. Tim On Thursday, May 16, 2024 at 10:16:33 AM UTC-5 [email protected] wrote: > DSpace 7.6.1 Configuration Issues with Apache HTTPD and SSL > > Hello everyone, > > I’m currently setting up a DSpace 7.6.1 instance for an internally-hosted > and accessed metadata database and have encountered several issues that I’m > struggling to resolve. > > Below, I have my relevant config files listed out. But first, I will > address the issue I’m encountering. > > The results of yarn test:rest are exactly what you would expect from a > working setup: > > [dspace@pedsdspace01 dspace-angular-dspace-7.6.1]$ yarn test:rest > yarn run v1.22.22 > $ ts-node --project ./tsconfig.ts-node.json scripts/test-rest.ts > Building production app config > Overriding app config with > /home/dspace/dspace-angular-dspace-7.6.1/config/config.yml > Overriding app config with > /home/dspace/dspace-angular-dspace-7.6.1/config/config.prod.yml > ...Testing connection to REST API at > https://pedsdspace01.research.chop.edu/server/api... > > (node:2078877) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment > variable to '0' makes TLS connections and HTTPS requests insecure by > disabling certificate verification. > (Use `node --trace-warnings ...` to show where the warning was created) > RESPONSE: 200 200 > > Checking JSON returned for validity... > "dspaceVersion" = DSpace 7.6.1 > "dspaceUI" = https://pedsdspace01.research.chop.edu > "dspaceServer" = https://pedsdspace01.research.chop.edu/server > "dspaceServer" property matches UI's "rest" config? true > Does "/api" endpoint have HAL links ("_links" section)? true > Done in 2.11s. > > You might have noticed a warning message about > NODE_TLS_REJECT_UNAUTHORIZED. That’s because I set > NODE_TLS_REJECT_UNAUTHORIZED to 0 in my ~/.bashrc. I was still > encountering problems when I would just set NODE_EXTRA_CA_CERTS. These > are the environmental variables I have set w/r/t Node in my ~/.bashrc: > > export > NODE_EXTRA_CA_CERTS="/etc/pki/tls/certs/pedsdspace01.research.chop.edu.crt"export > NODE_TLS_REJECT_UNAUTHORIZED=0export NODE_OPTIONS="--max-old-space-size=4096" > > I am trying to test my setup through yarn start:dev. My config details > are below, but for now, it should be useful to know that ui.ssl: false > and rest.ssl: true. > > When I forward port 4000 to my machine and go to http://localhost:4000, I > get DSpace’s 500 page, which, believe it or not, is a huge achievement: > [image: image.png] > > > Visiting the URL (which can only be accessed internally) via its URL > https://pedsdspace01.research.chop.edu/ does not produce the same thing: > [image: image.png] > > > I am told “Invalid Host header.” Nothing really illuminating in the > DevTools. > > The backend works fine. I am totally able to access > https://pedsdspace01.research.chop.edu/server/#/server/api and see The > HAL Browser: > > > So the issue seems to be with connecting the frontend to the backend. > > I have valid certifications issued by my IT department: > > /etc/pki/tls/certs/pedsdspace01.research.chop.edu.crt > /etc/pki/tls/private/pedsdspace01.research.chop.edu.pem > > Environment Setup > > - *Backend*: DSpace REST API running on Tomcat with HTTP on port 8080 > and AJP on port 8009. > - *Frontend*: DSpace Angular UI running on Node.js with HTTP on port > 4000. > - *Proxy*: Apache HTTPD acting as a reverse proxy, handling SSL > termination and forwarding requests to Tomcat and the Angular UI. > > Configuration Files > > *1. config.dev.yml* > > ui: > ssl: false > host: localhost > port: 4000 > nameSpace: / > rateLimiter: > windowMs: 60000 > max: 500 > useProxies: true > > rest: > ssl: true > host: pedsdspace01.research.chop.edu > port: 443 > nameSpace: /server > > *2. config.prod.yml* > > ui: > ssl: false > host: pedsdspace01.research.chop.edu > port: 443 > nameSpace: / > basePath: / > rateLimiter: > windowMs: 60000 > max: 500 > useProxies: true > > rest: > ssl: true > host: pedsdspace01.research.chop.edu > port: 443 > nameSpace: /server > > *3. local.cfg* > > dspace.ui.url = https://pedsdspace01.research.chop.edu > dspace.server.url = https://pedsdspace01.research.chop.edu/server > > solr.server = http://localhost:8983/solr > > db.url = jdbc:postgresql://localhost:5432/dspace > db.driver = org.postgresql.Driver > db.dialect = org.hibernate.dialect.PostgreSQL94Dialect > db.username = dspace > db.password = dspace > db.schema = public > > *4. server.xml* > > <Connector port="8080" > minSpareThreads="25" > enableLookups="false" > redirectPort="8443" > connectionTimeout="20000" > disableUploadTimeout="true" > URIEncoding="UTF-8"/> > <Connector > protocol="AJP/1.3" > port="8009" > redirectPort="8443" > URIEncoding="UTF-8" > secretRequired="false" /> > > Here, I inserted secretRequired because I noticed the same type of error > in my catalina.err file as in this StackOverflow post > <https://stackoverflow.com/questions/60501470/the-ajp-connector-is-configured-with-secretrequired-true-but-the-secret-attrib> > . > > *6. ssl.conf* > > Listen 443 https > <VirtualHost *:443> > ServerName pedsdspace01.research.chop.edu > > # Add your desired log settings > LogLevel trace6 > ErrorLog /var/log/httpd/pedsdspace01.research.chop.edu.error.log > CustomLog /var/log/httpd/pedsdspace01.research.chop.edu.access.log > combined > # SSL logging for requests > CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x > \"%r\" %b" > > # Ensure the correct headers and host settings > ProxyPreserveHost On > RequestHeader set X-Forwarded-Proto https > > # SSL Configuration > SSLEngine on > SSLCertificateFile /etc/pki/tls/certs/pedsdspace01.research.chop.edu.crt > SSLCertificateKeyFile > /etc/pki/tls/private/pedsdspace01.research.chop.edu.pem > > # Proxy requests to the Tomcat server (backend) > ProxyPass /server ajp://localhost:8009/server > ProxyPassReverse /server ajp://localhost:8009/server > > # Proxy requests to the Angular UI server (frontend) > ProxyPass / http://localhost:4000/ > ProxyPassReverse / http://localhost:4000/ > </VirtualHost> > > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/bfc89749-07cd-46d7-89c2-2a52a08263een%40googlegroups.com.
