Running OpenACS behind a proxy
If one is running OpenACS behind a reverse proxy such as NGINX or pound, one should use the following configuration options.
- Make sure, the proxy server adds the following request header fields:
- X-Forwarded-For: containing the IP address if the client making the actual request
- X-SSL-Request: this parameter should be set, when the incoming requests of the proxy was an HTTPS request. This way, OpenACS can treat connections as secure, even when the the connection between the reverse proxy and NaviServer is a plain HTTP connection.
- In the configuration file of NaviServer (or AOLserver), make sure, the following parameter are set:
- Parameter ReverseProxyMode in the global parameters (under ns/parameters). This parameter is used by the Tcl code to obtain the right value via [ad_conn peeraddr] or [ad_conn behind_proxy_p]. When the reverse proxy sets the X-SSL-Request header field, also [ad_conn behind_secure_proxy_p] will be true.
- Parameter checkforproxy in the nslog section. By activating it, the entries in the access log will have the value provided from the proxy via the X-Forwarded-For header. If this is not set, the access log will show always the IP address of the proxy server (last mile connection).
In order to check, whether the settings are correct, check the results of the following command calls in ds/shell (when acs-developer-support is installed)
- ad_conn behind_proxy_p
- ad_conn behind_secure_proxy_p
Note that when a server is running behind a secure proxy, but ad_conn behind_secure_proxy_p returns 0, the security ratings of the server will be downgraded, since no secure cookies will be used, etc. To check the settings, run the following command in ds/shell, which should return a non-empty result.
- ad_get_cookie ad_user_login_secure ""