SSL Voyant

[pguerr061703]

Can you please share your config file for apache or nginx running Voyant . You mentioned this in your previous comment below. I am running nginx, but I can run apache if needed. I just need to view a config file where your forward traffic to HTTPS. Thank you very much. Sorry to constantly ask, but it is important.

sgsinclair commented on Jan 30
Oh, I thought I'd seen in your email a < VirtualHost > section. Anyway, I honestly don't know if the embedded Jetty server even supports SSL, so the assumption is that you'd be using nginx or apache as a front end.

The main (secure) server https://voyant-tools.org/ uses Apache to proxy an instance of Voyant running under Tomcat. I suspect I tried some simpler solutions and this is the one that I ended up getting to work. I'm happy to share any config files that could be of use.

[xenth]

I would also like the Apache config if possible. We tried setting up a reverse proxy but there are pieces so that only the main page comes up but anything else causes a problem. This is becoming more important as Chrome plans to mark all non-ssl sites as insecure in July.

The follow is what we had but it didn't completely work:

<VirtualHost _default_:80>
  ServerName real.name.net
  LogLevel error

  <IfModule mod_rewrite.c>
     RewriteEngine On
     RewriteCond %{HTTPS} !=on
     RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]
  </IfModule>
</Virtualhost>
<VirtualHost _default_:443>
  SSLEngine on
  SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
  #strong encryption ciphers only
  SSLHonorCipherOrder On
  SSLCipherSuite AES256+EECDH:AES256+EDH
  #Key Locations
  SSLCertificateFile /etc/pki/tls/certs/server.crt
  SSLCertificateKeyFile /etc/pki/tls/private/server.key
  SSLCertificateChainFile /etc/pki/tls/certs/server.ca

  ServerName real.name.net
  ServerSignature Off
  LogLevel error

  #ProxyPreserveHost On
  ProxyPass / http://localhost:8888/
  ProxyPassReverse / http://localhost:8888/
  ProxyPass /resources http://localhost:8888/resources
  ProxyPassReverse /resources http://localhost:8888/resources
  ProxyPass /trombone http://localhost:8888/trombone
  ProxyPassReverse /trombone http://localhost:8888/trombone
</Virtualhost>

[sgsinclair]

Sorry for the delay in responding. Our secure instance uses Tomcat behind nginx, and I remember having to tweak something in the Tomcat config files. A quick look around suggests I may need to make some tweaks to get Jetty to handle the secure requests – I'll see what I can do and get back to you.

[PeterTonoli]

Bump..
@sgsinclair I'd like to see your Nginx config too - as our Voyant config isn't quite up to scratch.. Perhaps it could also be included in the Docs for VoyantServer, as I'm sure that @pguerr061703 and myself aren't the only ones interested in getting VoyantServer running under Nginx.

[sgsinclair]

Here's our site configuration file (an overabundance of caution leads me to comment out the actual location of the SSL certs)L

upstream tomcat {
    server localhost:8080;
}

server {
   listen 80 default_server;
    listen [::]:80 default_server;
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;

    server_name voyant-tools.org;

ssl_certificate # YOUR FILE HERE
ssl_certificate_key # YOUR FILE HERE

    location / {
	client_max_body_size 0;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header  X-Real-IP  $remote_addr;
	proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://tomcat;
    }
        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
                root /usr/share/nginx/html;
                internal;
        }
}

[PeterTonoli]

Brilliant, thanks @sgsinclair that did the trick. To close this issue, are you able to push this config into the documentation, as I'm sure there are others that would benefit?

Thanks again.

[sgsinclair]

I think it would premature to close this since I still have to work on getting Jetty to handle secure traffic directly, but I have started documenting some things like the Nginx Proxy configuration.

[PeterTonoli]

We seem to have a strange problem: Using Voyant Server, with Nginx terminating SSL, works fine with Firefox 61. Using Chrome 66, we have complaints from the browser that /resources/voyant/current/voyant.min.js and /resources/voyant/current/voyant-locale-en.js are mixed content (with the URL being HTTP, instead of HTTPS).

[sgsinclair]

Yikes, that long list of scripts shouldn't be loading, it must be because voyant.min.js isn't loading. My guess is that voyant.jsp is redirecting but for some reason using http instead of https (from what I can see the protocol shouldn't even be included, but the context may be adding it. Is your installation available somewhere? Do you want to gmail me at sgsinclair with more details and I can have a look?

[afoster]

Hi, I'm having what I assume is the same issue as @sgsinclair above. I'm running a local nginx terminating a self-signed SSL cert behind which Voyant is running on port 8888 (invoked by Voyant Desktop).

My nginx location looks like this:

location / {
    client_max_body_size 0;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://127.0.0.1:8888;
}

Most of the document loads but Chrome cancels the request to voyant.jsp which is issuing a 302 to a plain http URL, in my case http://voyant.local/resources/voyant/current/voyant.min.js. It doesn't follow the 302 due to mixed mode warnings, so a bunch of JS doesn't load and you end up with a blank screen.

It is possible to bypass the problem by clicking the Chrome warning about "this page is trying to load scripts from unauthenticated sources".

I'm not a Java guy, but is it possible the server context just isn't respecting the X-Forwarded- headers?

Thanks

[PeterTonoli]

+1, @afoster glad I'm finally not the only one having this problem!

[LiberalArtist]

I had this problem, which at the time @sgsinclair thought must have had something to do with my proxy configuration. He gave me this workaround via email, which has been working for me:

In the meantime, if you want to cheat a bit, open _app/resources/jsp/pre_app.jsp and change this:

<script type="text/javascript" src="<%= base %>/resources/voyant/current/voyant.jsp?v=11<%= (request.getParameter("debug")!=null ? "&debug=true" : "") %>"></script>
<script type="text/javascript" src="<%= base %>/resources/voyant/current/voyant-locale.jsp?v=11&lang=<%= lang %>"></script>

to

<script type="text/javascript" src="<%= base %>/resources/voyant/current/voyant.min.js"></script>
<script type="text/javascript" src="<%= base %>/resources/voyant/current/voyant-locale-en.js"></script>

[afoster]

Yes sorry I meant your problem @PeterTonoli ! :)

I should add, the only reason it works when I allow Chrome past the mixed mode warnings, is that my nginx config includes a redirect from http to https as below. The Location header issued by the voyant.jsp request sends me to my http://voyant.local/resources/voyant/current/voyant.min.js which is subsequently redirected to https://voyant.local/resources/voyant/current/voyant.min.js by nginx. So it's really a moot point why that works.

location / {
    rewrite ^(.*) https://$server_name$1 permanent;
}

[afoster]

Ah yep I can see how that would work. Appreciate you sharing the workaround.

[sgsinclair]

I'm curious what OS you're all running. I've never had a problem with this until I recently deployed to a CentOs 7 build.

There may actually be a few issues hiding in this ticket, but in my case the jsp file for voyant.min.jsp sometimes returns a blank document, which then forces the system to try to load individual scripts on-demand. I have no idea why the JSP is returning blank instead of redirecting to the .js file, I hope it's not deep and obscure combination of server settings that will take days to try to untangle.

But yes, this is the best workaround for now: #17 (comment)

[LiberalArtist]

I run on a Ubuntu 16.04 EC2 instance.

[afoster]

I'm running Voyant 2.4 M7 on Ubuntu 16.04 using openjdk 1.8.0_181.

@sgsinclair , when you say it returns a blank document, what http response code is it? 200 with no content?