Octopus deploy behind reverse proxy does not open login correctly

external
server
reliability
(g.bunce) #1

I’m trying to set up octopus deploy to run behind a reverse proxy. I’ve tried with TMG and now with IIS/ARR and get the same problems.

I can get the rewrite to octopus working but then the login page fails. It gets stuck on “loading, please wait” and a broken image link for the UI.

I looked at this: https://octopus.com/docs/administration/security/exposing-octopus/use-iis-as-reverse-proxy but it doesn’t help at all, as it suggests this is simply for HTTPS redirects. I’m using the reverse proxy to take one URL and rewrite it to another (Eventually I wish to take http://deploy.hostserver.com and rewrite to http://servername:port but for this test I’m using http://localhost/octopus)

A rewrite or redirect rule breaks in the same way

My ARR rule is:

<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="ReverseProxyInboundRule1" stopProcessing="true">
                    <match url="^(.*)octopus" />
                    <action type="Rewrite" url="http://[hostname]:[port]/app#/users/sign-in" logRewrittenUrl="true" />
                    <conditions>
                    </conditions>
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

(where hostname is the real host name and port is the open port). I can navigate to this url fine from a browser in proxy server.

I have tried a url of http://[hostname]:[port] and http://[hostname]:[port]/app and a rule of:

<action type="Rewrite" url="http://[hostname]:[port]/{R:1}" logRewrittenUrl="true" />

This last rule seems to start the UI correctly but then I got a “Unable to connect to the Octopus Server. Is your server online?” and a detailed error of:

There was a problem with your request.

Unhandled error when communicating with the Octopus Deploy server. The server returned a status of: 404

FullException: SyntaxError: Unexpected token < in JSON at position 0"

The fact it fails in two different products (TMG and IIS/ARR) suggests there is something odd about the internal redirects octopus does to startup.

Do I need an outbound rule too? (esp in the context where I have a url of [host]/octopus to invoke the rewrite?

(Justin Walsh) #3

Hi @g.bunce!

From the looks of this, it would look like that perhaps your rewrite rule here might be a little too greedy, not allowing access to the Octopus API (SERVER_NAME/api), which is what’s causing the error.

The FullException: SyntaxError: Unexpected token < in JSON at position 0 error you’re seeing is when the server is returning HTML when it expects a JSON response from the API.

I hope this helps.

(g.bunce) #4

Hi Justin

Sorry, but I cant work out what I need to add from your comment…

If octopus is running (as it happens in a container) on http://nn.nn.nn.nn:81 and I want to direct a URL of http://externalserver.com/octopus to this internal IP address then surely I want to redirect everything related to octopus to that IP address. Any internal URL to the api that octopus needs should not be http://nn.nn.nn.nn:81/api but rewritten to http://externalserver.com/octopus/api?

Are you saying I need to an an exclusion for /api in the main rule and an additional rule for /api to point somewhere else?

This rule works fine:

            <rule name="ReverseProxyInboundRule2" stopProcessing="true">
                <match url="(.*)" />
                <action type="Rewrite" url="http://[hostname]:[port]/{R:1}" />
            </rule>

But this isn’t good enough as this routes a root call to octopus (http:external.com) not a path (http://external.com/path)

These rules end up in a blank screen

            <rule name="deploy" stopProcessing="true">
                <match url="^(.*)deploy" />
                <action type="Rewrite" url="http://[hostname]:[port]/{R:1}" />
            </rule>
            <rule name="deploy2" stopProcessing="true">
                <match url="^(.*)api" />
                <action type="Rewrite" url="http://[hostname]:[port]/api/{R:1}" />
            </rule>

So I’m at a loss to understand just what octopus is trying to do here to load up it’s UI