Latest version (3.5.5) appears to fail rendering data

Jared Wiltshire

I also cannot replicate the problem. Make sure you select a point that is enabled and polling.

AldoRamos

Curious. I checked the console, and found the following error:

WebSocket connection to 'wss://external.mangoserver.com/rest/v1/websocket/point-value' failed: Error during WebSocket handshake: Unexpected response code: 403

This goes through an Apache proxy, which has been working fine up until this upgrade.

So I connected directly using a VPN, and sure enough it works fine.

This is a Mango installation running behind a firewall, for various reasons, using the proxy to make it visible to the world. What can be done to get the proxy working again?

Jared Wiltshire

@aldoramos said in Latest version (3.5.5) appears to fail rendering data:

Curious. I checked the console, and found the following error:
This goes through an Apache proxy, which has been working fine up until this upgrade.

Ah this information would have been useful at the start. Please post your ma.log file so we can see where things might be going wrong.

https://help.infiniteautomation.com/reporting-bugs/

It seems your proxy is not configured correctly to pass the authentication through to the end destination, I cannot comment on whether your configuration worked in the past or not... however I can say that nothing changed around authentication in Mango from 3.5.0 to 3.5.5. What version did you upgrade from? Are you positive that it used to work? Are you using mod_proxy_wstunnel on your Apache proxy?

MattFox

It would also pay to see your env.properties file. CORS needs to be enabled to allow proxy based control.
Happy to help as I've got SSL over proxy working for 3.5.5

Jared Wiltshire

@mattfox said in Latest version (3.5.5) appears to fail rendering data:

CORS needs to be enabled to allow proxy based control.

I don't think this is correct, if it is I think it might be a bug. Can you explain more about your configuration and why you think you need CORS?

MattFox

Nothing Worked without it - 3.4.1 wouldn't work with SSL until I turned the cors on. Since it works I'm not tinkering with it:
My config:

#Cross Origin Request Handling
rest.cors.enabled=true
rest.cors.allowedOrigins=*
rest.cors.allowedMethods=PUT,POST,GET,OPTIONS,DELETE
rest.cors.allowedHeaders=content-type,x-requested-with,authorization
rest.cors.exposedHeaders=
rest.cors.allowCredentials=true
rest.cors.maxAge=3600

Not interested in any more bugs. This didn't work with 3.5.4. Wasn't happy with telling customers that the SSL was broken and they had to knock off the https in order to log in.

apache2 proxy settings:

DocumentRoot /opt/mango/overrides/web/modules/mangoUI/web

SSLProxyEngine On
  ProxyRequests Off
  ProxyPreserveHost On

# for a http server
Protocols h2c http/1.1
ProxyPass /.well-known !

RewriteEngine on
 RewriteCond %{HTTP:Connection} Upgrade [NC]
 RewriteCond %{HTTP:Upgrade} websocket [NC]
 RewriteRule /(.*) ws://127.0.0.1:8080/$1 [P,L]



	<Location />
            ProxyPass http://127.0.0.1:8080/
            ProxyPassReverse /
        </Location>

AldoRamos

I apologize for not mentioning the proxy. I didn't even think of it, since it had been working previously (and in development I often switch back and forth between proxy and VPN).

I believe I upgraded from 3.4.1 (no longer have logs to confirm exactly). But I explicitly tested that page before & after to confirm this change in behavior.

The ma.log shows nothing relevant (no entries except for JSON File Import Job.)

@MattFox adding CORS configuration made no difference (except locking me out until I opened it up globally).

Adding the following configuration to the VirtualHost configuration fixes it:

    RewriteEngine On
    RewriteCond %{HTTP:Connection} Upgrade [NC]
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteRule /(.*) ws://internal.mangoserver.com:8080/$1 [P,L]

I apologize for the confusion, but due to some similar issues with another Mango server, I explicitly tested it with this configuration before and after upgrading, which is why I listed the symptoms (and my diagnosis) as I did.

Bottom line, it's working. Why? uhh.... It's working! ;-)

AldoRamos

@mattfox Yes, the proxy configuration is exactly what I needed. The CORS configuration didn't seem to help.

MattFox

Well at least that's sorted i'm happy. Forgive the irritated post Jared, it's been a difficult few weeks surrounding Mango data handling related issues.

Edit: The above virtual host config I have there works with l;etsEncrypt so you can just set and forget. Just make sure you add the

ProxyPass /.well-known !

in the SSL version of your config if you have forced redirect to SSL in order for letsencrypt to update

AldoRamos

I take it back, @MattFox ; apparently the CORS configuration IS necessary. Suddenly found it failing again, and sure enough enabling CORS did the trick.

I really do go through these tests in a methodical manner, but somehow I'm losing the sequence today.

Thanks to all who helped me get through this.

Jared Wiltshire

I might try and setup a Apache reverse proxy and figure out what is going on here. I still don't think that CORS should be necessary, I believe you that it fixes the problem however I don't think its the correct solution. In fact allowing any origin with allow credentials poses a security risk so I'd like to get it sorted out for you guys.

phildunlap

Have you been setting the HTTP origin header in your proxy?

We have sites running behind an Apache proxy, and the live-chart on 3.5.5 doesn't seem to have an issue. CORS is not enabled. Here is an example of the Apache config with a wildcard SSL certificate being used,

ServerName servername.host.extension
ProxyPass / http://172.16.3.4/
ProxyPassReverse / http://172.16.3.4/
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket
RewriteRule /(.*) ws://172.16.3.4/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket
RewriteRule /(.*) http://172.16.3.4/$1 [P,L]
ProxyPreserveHost off
RequestHeader set Origin "http://servername.host.extension"
Header edit Location ^http://servername.host.extension https://servername.host.extension
SSLProxyEngine On
SSLEngine on
SSLCertificateFile /path/to/host.extension.crt
SSLCertificateKeyFile /path/to/host.extension.key
SSLCertificateChainFile /path/to/host.extension.ca-bundle
ProxyRequests on

MattFox

What version of apache is that? I don't think my version allows some of those settings

phildunlap

2.4.x

What settings would it not allow?

MattFox

RequestHeader

phildunlap

Loading mod_headers in your apache config? https://httpd.apache.org/docs/current/mod/mod_headers.html

Or maybe you just need to symlink it into mods-enabled and reload ?

MattFox

That will likely be it, thanks Phil!