SID-01400: TWiki Behind Reverse Proxy SSL

Status:	Asked	TWiki version:	5.1.1	Perl version:	5.10.1
Category:	CategoryInstallation	Server OS:	RHEL 6.1	Last update:	2 month ago

Is there a recommended Apache configuration to get TWiki through a reverse proxy via SSL?

In my case, where I have an SSL proxy in front of the TWiki host, he site comes through with broken images and CSS links, which usually indicates these paths are hard coded within an application In `configure`, there is a "Mail and Proxies" section, but I see only mail settings, and no proxy stuff. I tried hand-setting {PROXY}{HOST} and {PROXY}{PORT} to match the proxy server, with no change in results.

Even though I have all /twiki* requests from the proxy being rewritten to the back-end, I still see 404s in the Apache log for /var/www/html/twiki* on the proxy itself, which is surprising.

I found three similar questions asked in the Support web over the past several years, but none had a conclusive resolution.

-- JohnDeStefano - 2012-02-10

Discussion and Answer

I see now that configure's proxy settings are activated as "expert" settings, and that they apply to outgoing traffic, which wouldn't be helpful in this case.

-- JohnDeStefano - 2012-02-10

Can you access configure script from outside the proxy? If so, check the pub directory is well defined in configure script and it is readable from outside your network.

All broken images and CSS usually means problems with pub directory.

Also check that file permissions are ok.

-- EnriqueCadalso - 2012-02-11

Hi Enrique,

configure can be accessed both inside and outside the proxy, and its style sheet and images (though limited) appear to be fine.

Permissions seem fine: owner of `pub` is apache.apache and I've done a recursive `chown` just to be sure. Everything renders absolutely perfectly on the localhost, so this must be a matter of properly configuring the SSL proxy:

RewriteRule ^/twiki(.*)$ http://[backend.host]/twiki$1 [P,L]

-- JohnDeStefano - 2012-02-15

I have a related question as well, though I can break it out into a separate one if need be: I'd like to pass an ENV header from the proxy and have TWiki pick it up and interpret it as the TWiki user ID. Previously, I was able to add an `$ENV{REMOTE_USER}` line to LocalLib.cfg convert the variable, but now when I do this I see an Apache error: view: Use of uninitialized value in substitution iterator at /var/www/twiki/lib/TWiki/Render.pm line 523

Granted, when accessed via the proxy, I see that the conversion is actually taking place, and TWiki correctly identifies me as the proper user, but this error is still logged. Should this variable be declared elsewhere?

-- JohnDeStefano - 2012-02-15

Any information regarding the rules/config necessary to proxy via SSL, as well as remote user authentication, in version v5.x would be appreciated. Thanks.

-- JohnDeStefano - 2012-03-02

If you answer a question - or have a question you asked answered by someone - please remember to edit the page and set the status to answered. The status is in a drop-down list below the edit box.