kentico and apache reverse proxy

steve reinders asked on February 5, 2018 01:17

We've found that we cannot integrate a new K10 install into our existing Apache rev proxy infrastructure as it doesn't respond to the server's IP address. Since K10 is running "behind" IIS we feel there must be a config that was missed. There doesn't seem to be anything against this, from a licensing perspective, although the developers have never delivered an install this way. Can anyone shed some light on this ? Thanks in advance...

Correct Answer

Trevor Fayas answered on February 13, 2018 20:49

(sorry forgot to log into my normal account)

By the very nature of a Proxy, all traffic to the server will in essence be "from" a single point.

The work around is passing the header "X-Forwarded-For" parameter to help the website know that the incoming request (from the proxy) is really from the origin request (user). Most built in services such as Load Balancers and Content Delivery Networks use this, and Kentico doesn't seem to have a problem even on version 9 leveraging this, as we have IP Geo location on one of our sites that sits behind a Content Delivery Network.

However if you are building the proxy yourself, you'll need to make sure you leverage this.

https://docs.alertlogic.com/userGuides/web-security-manager-premier-preserve-IP-address.htm

0 votesVote for this answer Unmark Correct answer

Recent Answers


Trevor Fayas answered on February 5, 2018 15:09

If you do not even get to a Kentico screen, then nothing to do with Kentico.

How normal setup works with IIS is that a Domain points to an IP address, which points to the IIS server.

IIS receives the requested domain, and using it's Bindings maps one of it's site to it. That's how you can host multiple sites on one IIS server, say "Test1.com" and "Test2.com" they both may resolve to the same IP address, but when the IIS server gets "Test1.com is asking for a site" it knows which ones to provide.

If your Proxy is redirecting IP addresses to the IIS server, you need to look at what "domain" so to say it's receiving. Note that an IP address can be the domain, but then IIS needs to know that that single IP address needs to be bound to the one kentico site, and you'll have a hard time hosting others unless you add some Port to the IP address (such as say 192.168.1.1 is your IIS server internally, 192.168.1.1:89 => Test1 site, 192.168.1.1:90 => Test2 site)

If you can remote onto the server, you can use WireShark to test incoming requests, to see what your proxy is sending to the server.

0 votesVote for this answer Mark as a Correct answer

steve reinders answered on February 12, 2018 14:47

Thank you Trevor. We had to schedule testing.

We added the server IP address to IIS Site Bindings 2 ways ... : 1) ... on their own line for ports 80 and 443. When accessing by IP address Kentico responded with Invalid License key Requested URL: http://192.188.254.215 License status: Missing License Which is understandable since there wasn't a domain in the Site Bindings 2)... on the line with the domain. When accessing by IP address IIS (Kentico) did not respond. It still responds to the domain.

In both cases we did an iisreset.

What do you think ? Without having a reverse proxy we're looking at having to increase capabilities on firewall as well as adding "URL rewrite" module on IIS.

Thanks

0 votesVote for this answer Mark as a Correct answer

Trevor Fayas answered on February 12, 2018 17:28

Can you try to get a license key for the IP from Kentico? You should be able to request an alias key and explain the reasoning.

0 votesVote for this answer Mark as a Correct answer

steve reinders answered on February 12, 2018 17:49

It is a dev license from Kentico and applied to the K10 instance. We are testing before we adjust IIS in production.

The line in IIS Site Bindings looks like

Type    http
Host    dev.domain.org
Port    80
IP Address  192.188.254.1

did an iisreset . 192.188.254.1 is the server address

It does not respond to the ipaddress but does respond to dev.domain.org

0 votesVote for this answer Mark as a Correct answer

Trevor Fayas answered on February 12, 2018 17:55

You'll want to add a non-host binding, just put for the host 192.188.254.1 and that should signify to IIS that if it receives JUST the IP address, to render this. However if this is the IP address of the server, you'll want to add your ports that should direct to the right spot.

Again IIS looks at the incoming information's HOST name and Port to figure out what site to render, so if it's set to look for "dev.domain.org" and it only gets 192.188.251.1:89 or 192.168.1.1:89, it can't figure out which to render. You need to tell it "hey, also look for just 192.188.251.1:80" and "192.168.1.1:89"

0 votesVote for this answer Mark as a Correct answer

steve reinders answered on February 12, 2018 17:59

We tried that and it says Invalid license key and says to add a licence. Does the server's IP address need to be a license also ?

0 votesVote for this answer Mark as a Correct answer

Trevor Fayas answered on February 12, 2018 18:01

Yup, whatever the address is that is being passed to your server, kentico needs a license key. So if it says "There's no licence key for 192.188.251.1" then you need to get an alias license key from Kentico for that IP address. It's similar to how that's needed for web farms.

They should be able to help you out.

Also make sure the Kentico > Site has a domain alias of that IP address too so kentico knows which site to render.

0 votesVote for this answer Mark as a Correct answer

steve reinders answered on February 12, 2018 18:04

So, do you know, for production, if we have domain.org and 192.188.254.1 does that count as 2 production licenses ? Do we check with our rep ?

0 votesVote for this answer Mark as a Correct answer

Trevor Fayas answered on February 12, 2018 19:39

Kentico has been great with understanding what are really "additional sites" and what are domain aliases for special cases like this. while there are automatic licenses included with the main (dev., staging., etc) you can request an alias for your 192.188.254.1 and i can't imagine they would say no. You aren't hosting another site, you are just needing another license for your proxy work around. Ask, shouldn't have a problem getting it!

0 votesVote for this answer Mark as a Correct answer

steve reinders answered on February 13, 2018 17:59

The developer is concerned that the apache proxy will "break" kentico functionality based on these posts:

https://devnet.kentico.com/forums?forumid=65&threadid=32330

http://ideas.kentico.com/forums/239189-kentico-product-ideas/suggestions/3464794-enable-reverse-proxy-scenarios-for-targeting-and-a

However, the posts are older and may not apply to K10.

Can you verify that K10's GEO and analytics will still work ? This would mean add'l work by the developer, work order, contract, etc.

Thanks

0 votesVote for this answer Mark as a Correct answer

Development Support Avastonetech answered on February 13, 2018 20:49 (last edited on February 13, 2018 20:49)

0 votesVote for this answer Mark as a Correct answer

steve reinders answered on February 28, 2018 18:22

We found that there were no apparent problems with K10 behind the apache rev proxy. Apache adjusted the headers accordingly. Thank you very much for your help.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.