Port stripped from request when behind a reverse proxy

This has been one of the most educational issues of the year. Reading this thread has been like getting a master class on the nuances of how reverse proxies are supposed to work. Congratulations to @josevimlet on perseverance and a successful implementation.

@eivantsov - do you think there is any value in packaging up the instructions at the end here as a short doc page, or maybe just a short tutorial page?

Good news, I finally managed to get it working behind the Wildfly as a custom reverse proxy with authentication and load balancing.

First, thanks a lot to @eivantsov and @benoitf for your help I really appreciate it, I believe you’ll find pleasing someone using a Redhat server for this purpose ❤️ .

I was on the right track with the the wildcard thing, after studying the Nginx API and @benoitf example, I did my best to port it to Wildfly, and finally I managed to get things working…

The problem was with the fix I used for the port strip issue, rewriteHostHeaders = true, that was messing with the Host header, that’s needed when wildcards (nip.io) where used. I did a nasty quick fix for it with boolean rewriteHostHeader = !exchange.getHostName().contains("nip.io"); to do the rewrite only on the cases that arent nip.io, but I’m planning to tune a lot this approach to create a better solution.

Here are the steps to solve the problems I encountered for using Eclipse Che behind a Wildfly reverse proxy, thou I imagine most of this steps apply to other servers too, hopefully someone will find this useful.

Poxy setup:

1. Create a reverse proxy, in my case I used Undertow LoadBalancingProxyClient and ProxyHandler in a custom handler module for undertow that I wrote. (Note that ProxyHandler parameter rewriteHostHeader fixes port strip issue but mess wildcards used by Che single port mode, so I used the approach described above)

Here is the main code:

        // Proxy the request
        boolean rewriteHostHeader = !exchange.getHostName().contains("nip.io");
        boolean reuseXForwarded = false;
        final ProxyClient proxyClientProvider = new LoadBalancingProxyClient().addHost(URI.create("<CHE_IP_AND_PORT_HERE>"));        
        final HttpHandler handler = new ProxyHandler(proxyClientProvider, 30000, ResponseCodeHandler.HANDLE_404, rewriteHostHeader, reuseXForwarded);;
        
        exchange.dispatch(handler);

1. Added the following headers: X-Forwarded-For: <client_ip> Host: <request_host> X_Forwarded_Proto: http

and the typical CORS headers to allow all (Optional, but just in case)

1. Removed X-Frame-Options header (Once again, just in case)

Eclipse Che setup:

1. Enabled single port mode
2. Set che docker external IP

here is the command to do it directly through the command line although you could also edit che.env

docker run -it —rm -e CHE_SINGLE_PORT=true -e CHE_DOCKER_IP_EXTERNAL=<YOUR_WAN_IP_OR_DNS> -v /var/run/docker.sock:/var/run/docker.sock -v /home/che:/data  eclipse/che start

NAT:

1. Forward your WAN IP to your proxy LAN IP on the same port as CHE_PORT, not sure why but I had issues with nip.io when using a different port (I’ll look at this asap).

Notes:

1. When using CHE_SINGLE_PORT, Che diagnostics will fail.
2. When implementing some sort of authentication bare in mind that request from nip.io come from a different domain and things like session or cookie based authentication will fail. I currently bypass this issue white-listing the authenticated IP + User-Agent thou this solution has its own drawbacks, a better alternative would be to use your own wildcard on the same domain so cookies could propagate in ajax calls, but i’m afraid this wont work unless XMLHttpRequest.withCredentials is set to true on all client XMLHttpRequest, a PR for this would be nice.

And that’s all, hope this help someone to get things going ^^