Reverse-Proxy Chain

16 August 2015, 13:21

I'm trying to build a hiawatha reverse-proxy chain. This means, I've a reverse-proxy X for different web-services (everything with TLS/SSL). This works as expected. Now I have a new web-service to maintain which hosts an instance of Jira (including Tomcat) with a hiawatha reverse-proxy Y in front of it (HTTPS). Connecting directly to this node works fine.
After chaining this node behind the the reverse-proxy X, I'm getting BadRequests (400) for some HTTP POSTs and I'm not able to login anymore.

works: User => HTTPS => ReverseProxy X => HTTPS => some web service
works: User => HTTPS => ReverseProxy Y => Jira/Tomcat

400errors: User => HTTPS => ReverseProxy X => HTTPS => ReversProxy Y => Jira/Tomcat

For testing purpose the certificates "for all reverse-proxies" are self-signed.

Is this set-up possible by using hiawatha? If so, do I have to set special options like "not verifying ssl certs" or do I have to set custom headers?

Maybe I'm missing something or it's silly...but asking now is more reasonable than wasting more time ^^

Hugo Leisink
16 August 2015, 13:53
Which node is generating the 400 errors?
16 August 2015, 15:22
Oh, that's fast

I see them on the reverse-proxy Y and the Jira/Tomcat access log. Since reverse-proxy Y runs on the same system as the Jira/Tomcat it should be the Tomcat. But this is awkward because direct connecting to reverse-proxy Y works just fine.
Hugo Leisink
16 August 2015, 20:24
Can you see what requests generate those 400 errors? Via tcpdump or something similar?
17 August 2015, 18:16
Until now I'm not able to find any relevant logs which might be helpful. I've analysed and compared the requests received by Tomcat for both situations with and without reverse proxy X (not working and working). The only differences are the additional components for hiawatha (X-Forward stuff and proxy ID).

Furthermore I can eliminate SSL as problem, since I tested everything with plain HTTP.

The Tomcat is complaining about an incorrect syntax/missing uri, but until now I couldn't find any hints what might be wrong. One guess could be problems handling the JSESSIONID.
19 August 2015, 22:03
After further investigation, there might also be some problems with Tomcat handling multiple X-Forward-for in my opinion there is nothing wrong with hiawatha
Hugo Leisink
21 August 2015, 08:02
Ok, that's good to hear!
This topic has been closed.