Solved

When I logout the returnurl is missing the /indicium/ directory what is causing it?

  • 22 September 2022
  • 18 replies
  • 128 views

Userlevel 4
Badge +4
  • Thinkwise Local Partner Brasil
  • 176 replies

Hi. 

I thought I got all working on linux, but I found out that when I logout the return URL is missing /indicium/ in its path. Where do I set this or what is causing this?

https://server.lef.tec.br/indicium/account/ui/logout?returnurl=https://server.lef.tec.br

icon

Best answer by Dick van den Brink 28 September 2022, 08:02

View original

18 replies

Userlevel 6
Badge +3

Hello Freddy,

Try setting the ExternalPathBase to /indicium, this should fix your problem.

https://docs.thinkwisesoftware.com/docs/deployment/indicium_configuration#changing-the-path-base-of-indicium

I hope this helps.

Userlevel 6
Badge +3

Upon closer review, I don't think that there's an /indicium/ segment missing in the return URL at all. The return URL is supposed to point to the Universal GUI, not Indicium. And this value is supplied by the Universal GUI itself, I don't think that it's missing any segments.

Can you confirm that your Universal GUI is located at https://server.lef.tec.br?

If so, what is the problem that you are facing? Perhaps it is unrelated to the URL.

Userlevel 4
Badge +4

Hello Freddy,

Try setting the ExternalPathBase to /indicium, this should fix your problem.

https://docs.thinkwisesoftware.com/docs/deployment/indicium_configuration#changing-the-path-base-of-indicium

I hope this helps.

it's defined.. but problem persists. 

Userlevel 4
Badge +4

Upon closer review, I don't think that there's an /indicium/ segment missing in the return URL at all. The return URL is supposed to point to the Universal GUI, not Indicium. And this value is supplied by the Universal GUI itself, I don't think that it's missing any segments.

Can you confirm that your Universal GUI is located at https://server.lef.tec.br?

If so, what is the problem that you are facing? Perhaps it is unrelated to the URL.

 

The problem is that when in de Universal GUI (which is located on the mentioned URL) I choose to logout, the browser goes to https://server.lef.tec.br/indicium/account/ui/logout I presume (the network tab gets cleared to fast to see the actual URL), and then it goes to https://server.lef.tec.br/account/ui/logout with referrer URL https://server.lef.tec.br/indicium/account/ui/logout?returnurl=https://server.lef.tec.br 

So at some point then it adds the account/ui/logout if the returnurl should be the place of Universal.  

Userlevel 6
Badge +3

Hello Freddy,

You can check the Preserve log checkbox in the developer tools to prevent the network tab from being cleared after a redirect.

 

I think that it's best to report a ticket for this problem and attach a .har to it containing all of the redirects that occur.

Userlevel 4
Badge +4

Hello Freddy,

You can check the Preserve log checkbox in the developer tools to prevent the network tab from being cleared after a redirect.

 

I think that it's best to report a ticket for this problem and attach a .har to it containing all of the redirects that occur.

Ok. I'll issue a ticket with the HAR file. (85818)

Userlevel 6
Badge +3

Hello Freddy,

I missed this in one of your previous answers, but you don't have the AllowedHeaders configured in your ReverseProxy settings. It should look like this:

"ReverseProxy": {
"Enabled": true,
"ExternalPathBase": "/indicium",
"AllowedHeaders": [
"XForwardedHost",
"XForwardedProto"
]
}

I know that in a previous topic you wrote that you removed these settings in order to make the redirects work properly, but I don't think that this was the right way to fix your problem. Instead, I think you might also be missing some settings to have your reverse proxy send the X-Forwarded-Host and X-Forwarded-Proto headers to Indicium.

If you are using nginx as a reverse proxy, then you can configure these headers in the configuration file like this:

proxy_set_header X-Forwarded-Host $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

Please check our Docker deployment guide here. Even though you're not using Docker, all of the relevant configurations that you need are listed here as well.


I hope this helps.

Userlevel 4
Badge +4

Hello Freddy,

I missed this in one of your previous answers, but you don't have the AllowedHeaders configured in your ReverseProxy settings. It should look like this:

"ReverseProxy": {
"Enabled": true,
"ExternalPathBase": "/indicium",
"AllowedHeaders": [
"XForwardedHost",
"XForwardedProto"
]
}

I know that in a previous topic you wrote that you removed these settings in order to make the redirects work properly, but I don't think that this was the right way to fix your problem. Instead, I think you might also be missing some settings to have your reverse proxy send the X-Forwarded-Host and X-Forwarded-Proto headers to Indicium.

If you are using nginx as a reverse proxy, then you can configure these headers in the configuration file like this:

proxy_set_header X-Forwarded-Host $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

Please check our Docker deployment guide here. Even though you're not using Docker, all of the relevant configurations that you need are listed here as well.


I hope this helps.

 

Hi Vincent, 

I've added the allowed headers again. And the Nginx configuration already had these headers you've mentioned. I do not get the errors like before (so that must have had another cause).. but it doesn't redirect me back to the Universal anymore. I get to the logout page and there it stays. Clicking on the link get's me to the Indicum login page not the Universal login page. And when I login there I get the same problem as before … it opens https://191.34.68.205/indicium/ (my IP address) instead of the server. 

I must be missing something here.. 

 

 

Userlevel 3
Badge +1

Hi Freddy,

I didn't have the time to try it yet, but I was checking the NGINX documentation.

In the docker guide, we set `proxy_set_header X-Forwarded-Host $proxy_add_x_forwarded_for` but that seems wrong to me. I need to check that if everything is ok there (and ask if someone can update the guide). The reason the docker guide is working, is because it is forcing the host header with: `proxy_set_header Host $host` (and I think it is not using the Reverse proxy settings in Indicium).

Can you change the line in the configuration to `proxy_set_header X-Forwarded-Host $host` (instead of the $proxy_add_x_forwarded_for)?

I will create a reproduction environment in the meantime.

Userlevel 4
Badge +4

Hi Freddy,

I didn't have the time to try it yet, but I was checking the NGINX documentation.

In the docker guide, we set `proxy_set_header X-Forwarded-Host $proxy_add_x_forwarded_for` but that seems wrong to me. I need to check that if everything is ok there (and ask if someone can update the guide). The reason the docker guide is working, is because it is forcing the host header with: `proxy_set_header Host $host` (and I think it is not using the Reverse proxy settings in Indicium).

Can you change the line in the configuration to `proxy_set_header X-Forwarded-Host $host` (instead of the $proxy_add_x_forwarded_for)?

I will create a reproduction environment in the meantime.

That did the trick. I can logout and it redirects me correctly to the Universal again. 

Thanks! 

Userlevel 6
Badge +3

Hello Freddy,

Thank you for your quick response. We will update our Docker Deployment guide as soon as possible.

Userlevel 4
Badge +4

Hi Freddy,

I didn't have the time to try it yet, but I was checking the NGINX documentation.

In the docker guide, we set `proxy_set_header X-Forwarded-Host $proxy_add_x_forwarded_for` but that seems wrong to me. I need to check that if everything is ok there (and ask if someone can update the guide). The reason the docker guide is working, is because it is forcing the host header with: `proxy_set_header Host $host` (and I think it is not using the Reverse proxy settings in Indicium).

Can you change the line in the configuration to `proxy_set_header X-Forwarded-Host $host` (instead of the $proxy_add_x_forwarded_for)?

I will create a reproduction environment in the meantime.

 

Well I do have another question.. because this solution worked for our cloud deployment on Ubuntu Server. However I have a local installation as well on a Mac OS server and there this setup doesn't work. I'm guess it then has something to do with docker. On the Mac OS server SQL and Indicium are running via docker, but the webserver (Nginx) however is not. 

When I logout there: https://ffsei/indicium/account/ui/logout?returnurl=https://ffsei

It ends up https://ffsei/account/ui/logout .. which doesn't exist. 

Any clue here? 

 

@Dick van den Brink @Vincent Doppenberg 

Userlevel 3
Badge +1

This looks similar to the issue above that the ` "ExternalPathBase": "/indicium"` needs to be configured. Is this configured correctly? 

Userlevel 4
Badge +4

This looks similar to the issue above that the ` "ExternalPathBase": "/indicium"` needs to be configured. Is this configured correctly? 

Yes. I've aligned the configs and app settings.. so this is set correctly. But on the Mac OS server it doesn't quite react the same. 

Userlevel 3
Badge +1

Hi Freddy, 

The only way I think this can happen is that you have the x-forwarded-host correctly configured in the appsettings.json for the AllowedHeaders section but the `Host` header is missing in your NGINX configuration.

 

Is the `proxy_set_header Host $host;` correctly set? (Probably you did, but just to make sure).

Also, I was checking the ASP.NET Core code, do you see a warning in the Indicium log by any change? Maybe you need to set the Default LogLevel for your "ErrorLog” to Warning for it to show up.

 

Edit 

Is there a difference in the setting for the `server_name` between the Linux and the Mac OSX nginx config? It should grab the host from the request but maybe it get lost somewhere and the fallback will be the server_name setting.

I am aware this problem sounds unrelated to the host value, but the `ExternalPathBase` setting is only working if the host headers are configured correctly.

Userlevel 4
Badge +4

I think it's correct, and I don't get any message in Indicium log when logging out, even with default loglevel on warning. 

NGINX Config

user  nobody;
worker_processes 1;

error_log logs/error.log warn;
pid logs/nginx.pid;

events {
worker_connections 1024;
}


http {
include mime.types;
default_type application/octet-stream;

log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log logs/access.log main;

sendfile on;
keepalive_timeout 65;
gzip on;

# HTTP server
#
server {
listen 80 default_server;
server_name local host ffsei;

return 301 https://$host$request_uri;
}

# HTTPS server
#
server {
listen 443 ssl;
server_name local host ffsei;

ssl_certificate /usr/local/etc/ssl/certs/self-signed.crt;
ssl_certificate_key /usr/local/etc/ssl/private/self-signed.key;

location / {
root html;
index index.html index.htm;
}

location /indicium/ {
proxy_pass http://local host:5000/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
}

}
include servers/*;
}

Appsettings


{
"Logging": {
"LogLevel": {
"Default": "Warning",
"System": "Information",
"Microsoft": "Warning",
"Indicium": "Debug"
},
"ApplicationInsights": {
"LogLevel": {
"Default": "Information",
"System": "Information",
"Microsoft": "Warning",
"Indicium": "Debug"
}
},
"ErrorLog": {
"PathFormat": "Indicium-{Date}.txt",
"LogLevel": {
"Default": "Error"
}
}
},
"MetaSourceConnection": {
"Server": "local host",
"Database": "THINKWISE_IAM",
"PoolUserName": "sa",
"PoolPassword": "password"
},
"ReverseProxy": {
"Enabled": true,
"ExternalPathBase": "/indicium",
"AllowedHeaders": [
"XForwardedHost",
"XForwardedProto"
]
},
"Agent": {
"Enabled": true
}
}


 

Userlevel 3
Badge +1

Hi Freddy,

The configuration looks fine to me. I don't see the cause yet.

Can you validate that http://local host:5000/indicium/ is working for you (so with the /indicium/ path and bypassing nginx)?
Does `docker exec -it indicium cat /app/appsettings.json` show the reverse proxy settings? (To validate that the docker container was rebuild correctly). Probably it is, but just to make sure.

On your Linux machine, you were using NGINX also in Docker. Does it work if you also use that on your Mac machine? Or is that not possible to setup?

Userlevel 4
Badge +4

Hi @Dick van den Brink , 

I'll post below the results.

Indicium:

 

verification appsettings. (btw. when restarting indicium it doesn't take the new appsettings.. I really need to rebuild it). 

ffsei@FFSEI indicium % docker exec -it indicium cat /app/appsettings.json
{
"Logging": {
"LogLevel": {
"Default": "Warning",
"System": "Information",
"Microsoft": "Warning",
"Indicium": "Debug"
},
"ApplicationInsights": {
"LogLevel": {
"Default": "Information",
"System": "Information",
"Microsoft": "Warning",
"Indicium": "Debug"
}
},
"ErrorLog": {
"PathFormat": "Indicium-{Date}.txt",
"LogLevel": {
"Default": "Error"
}
}
},
"MetaSourceConnection": {
"Server": "192.168.15.42",
"Database": "THINKWISE_IAM",
"PoolUserName": "sa",
"PoolPassword": "password"
},
"ReverseProxy": {
"Enabled": true,
"ExternalPathBase": "/indicium",
"AllowedHeaders": [
"XForwardedHost",
"XForwardedProto"
]
},
"Agent": {
"Enabled": true
}
}
ffsei@FFSEI indicium %

 

On my LInux machine nothing runs on docker except the Machine Learning. 

 

So it's still like this:

  • I log in and go the the IAM in this case. 
  • And then I log out it redirects me to the /indicium/account/ui/logout. 

In the indicium log:

dbug: Indicium.Middleware.ReverseProxy.ReverseProxyChangePathBaseMiddleware[0]
      Host modified by forwarded middleware, changing PathBase to: /indicium

 

However it doesn't automatically redirects me back to / (root) (which I would expect)

THen from the /indicium/account/ui/logout screen I can login again, and then it redirects me to my local IP address /indicium..   

 

Reply