Planning Analytics

 View Only
  • 1.  Local PAW with IIS Reversed Proxy

    Posted Thu January 19, 2023 10:05 AM
    Hi there!

    We updated our PA so we can use Planning Analytics Workspace, as we also serve some other Webapps, I would like to setup IIS as reversed Proxy.

    Installation of the Container was pretty straight forward and its running on port 7777, as 80/443 will be used from IIS, now i created a Reversed Proxy Rule in IIS to fwd the hostname to port 7777, which works fine for the integrated login, but when i try to use the CAM Authentification with our Analytics Gateway, the returned address from Cognos is ending with Port 7777, how can i avoid this?

    Tried many settings but always get the PAW Port returned from Analytics.

    Thanks so far!

    ------------------------------
    Oliver Schöckl
    ------------------------------


  • 2.  RE: Local PAW with IIS Reversed Proxy

    Posted Tue January 24, 2023 05:44 AM
    Any idea how i can fix this?

    Still try but cannot solve it.

    ------------------------------
    Oliver Schöckl
    ------------------------------



  • 3.  RE: Local PAW with IIS Reversed Proxy

    Posted Wed August 16, 2023 09:38 AM

    Hi Oliver,

    just wanted to let you know - had the same requirement and solved it. 

    Let me know if you still need help in this matter.

    Michael Sommer



    ------------------------------
    Michael Sommer
    ------------------------------



  • 4.  RE: Local PAW with IIS Reversed Proxy

    Posted Mon August 21, 2023 03:48 AM

    Hi there!

    Thanks for your reply, yes this is still an open issue, would love to get some insights how you did it.

    BR

    Oliver



    ------------------------------
    Oliver Schöckl
    ------------------------------



  • 5.  RE: Local PAW with IIS Reversed Proxy

    Posted Tue August 22, 2023 04:04 AM

    Hi Oliver,

    after analyzing this some time i realized that PAW generates the return URL that is passed to CA for authentication from the host header of the requests coming in prior to authentication. So if you access PAW using http://localhost:7777 the return URL will be http://localhost:7777, if you access it using http://hostname:7777 it will be http://hostname:7777 and so on. Obviously, if the reverse proxy is creating the request to PAW it will send the request to pa-gateway using the URL configured in your forwarding rule. This results in the return URL beeing the forwarding URL configured in the reverse proxy rule. <- Not what we want!

    There are two possible solutions: 

    #1 The default solution for lots of software behind a reverse proxy that ist genrating URLs to itself are the X_FORWARDED http header variables

    HTTP_X_FORWARDED_HOST
    HTTP_X_FORWARDED_PROTO
    HTTP_X_FORWARDED_PORT

    This way you can let the application behind the reverse proxy know what the original (or intended) url was that accessed the reverse proxy.
    You can set the values dynamically from the original request header or simply like this in your reverse proxy rule:

    <rules>
        <rule name="ReverseProxyInboundRule1" stopProcessing="true">
            <match url="(.*)" />
            <action type="Rewrite" url="http://localhost:7777/{R:1}" />
            <serverVariables>
                <set name="HTTP_X_FORWARDED_HOST" value="paw.myhost.mydomain" />
                <set name="HTTP_X_FORWARDED_PROTO" value="http" />
            </serverVariables>
        </rule>
    </rules>

    PAW recognizes this standard and creates the return URL passed to CA based on the variables if present!

    It also works with https to IIS and http to PAW (for ssl offloading) with no problems! Forwarded proto should be HTTPS then of course. HTTP_X_FORWARDED_PROTO is only necessary if you dont use port 80 for http or 443 for https.

    #2 We tell IIS to keep the original request header when forwarding requests to pa-gateway

    This is a simple an quick solution - but it may affect other services running in iis (it does work with CA, TM1Web, PMPSVC with no problems)...

    appcmd set config -section:system.webServer/proxy -preserveHostHeader:true /commit:apphost

    I am using #2 currently and it works great! Let me know if it helps in your scenario, happy to help!

    Michael



    ------------------------------
    Michael Sommer
    ------------------------------



  • 6.  RE: Local PAW with IIS Reversed Proxy

    Posted Wed August 23, 2023 08:34 AM

    Hi Michael,

    Thanks a lot for a detailed answer, it's really helpful.

    I've got exactly the same reverse rule (with HTTP_X_ headers) and while logging in through CA I  get an endless login loop that keeps switching:

    https://paw.myhost.mydomain/login?cburl=%2F

    to

    https://paw.myhost.mydomain/login

    and all over again.

    You haven't seen such scenario? 

    What version of Paw / CA are you using?

    Thank you,

    Yuri



    ------------------------------
    Cheers,
    Yuri
    ------------------------------