Youtrack 6.5 behind a webseal reverse-proxy

Hi,

We are currently evaluating Youtrack at my company, and we are now trying to move our Youtrack instance behind a reverse proxy, who is in charge of ssl termination.

Youtrack is started with the following java parameter : -Djetbrains.youtrack.baseUrl=https://ci-tools.in.internal.lu/youtrack/middleware

 

Most of the customization needed seems to be ok (the setUp screen displays correctly, with all ressources being accessed correctly via the reverse proxy), but we are struggling with one problem related to javascript : when an action is performed on the setUp page (such as clicking on a checkbox), an XMLHttpRequest is sent to /_events?window_id=12 (instead of /youtrack/middleware/_events?window_id=12)

We do not understand why these particular requests are failing to use the correct baseUrl, and we were hoping someone could give us some details about the it.

10 comments
Comment actions Permalink
Official comment

Hello Andre,

Am I right, you're using JAR distribution? 

Could you please provide me with your proxy configs? Config samples can be found here https://confluence.jetbrains.com/display/YTD65/Configuring+Proxy#ConfiguringProxy-JAR . Commonly, you need to check that forwarding is assigned correctly.

Comment actions Permalink

Hello Andrey,

I am indeed using the jar distribution. It is launched with the following parameters:

exec java -Xmx1g -XX:MaxPermSize=250m -Djava.awt.headless=true -Djetbrains.youtrack.baseUrl=https://ci-tools.in.internal.lu/youtrack/middleware -Djetbrains.mps.webr.log4jPath=/opt/youtrack/log4j.xml -jar youtrack.jar 8080

 

The webseal proxy config listens on a https port, and the /youtrack/middleware "junction" (as they are called in webseal) redirects to port http://youtrackserver:8080 .

 

We are able to have access to the youtrack application, so that confirms that globally the configuration is correct. But as we are encountering the strange behavior described in my previous post, we are beginning to think that the lack of support for websockets in webseal could be the root cause of this problem.

 

Are my answers precise enough to give you a closer view on the issue?

0
Comment actions Permalink

Hello Andre,

I'd advice to try the following:

1. Change start command to exec java -Xmx1g -XX:MaxPermSize=250m -Djava.awt.headless=true -Djetbrains.youtrack.baseUrl=https://ci-tools.in.internal.lu/youtrack/middleware -Djetbrains.mps.webr.log4jPath=/opt/youtrack/log4j.xml  -jar youtrack.jar 8080/youtrack/middleware

2. Change proxy redirect rule to http://youtrackserver:8080/youtrack/middleware

0
Comment actions Permalink

Hello Andre,

Thank you for details.

YouTrack doesn't use websockets, so it looks like Webseal should be set up somehow in different way. I've created a task for this, please watch for updates https://youtrack.jetbrains.com/issue/JT-34514 .

Is it possible for you to set up YouTrack behind Nginx or Apache meantime?

0
Comment actions Permalink

Hi,

 

Thanks for your feedbacks.

I tried Evgeny suggestions once again (I already tried in the past) but I have exactly the same behavior : I can access Youtrack, but as soon as I click on the "Accept License" checkbox or the Save button, I get a "Connection Restored" warning displayed on top of the page.

In the logs, I did not find anything particular except for the fact that Youtrack is unable to reach www.jetbrains.com, as our server does not have any internet access. Could this be a problem?

 

At reverse proxy level, are there any http headers that are mandatory for Youtrack when behind a rp ? 

 

In regards to temporarly using NGinx or Apache, it is not a solution, because our Webseal is a central element in our architecture, connected to our Active Directory and other security related stuff. (the Webseal RP is in fact part of the ISAM product from IBM)

 

 

Here is a screenshot of the situation:

If there are any details that could be useful to you or for us debugging, do not hesitate to ask, I will be glad to look for them.

0
Comment actions Permalink

Hello Andre,

Thank you for details. Internet connection is not required. Still there are some external requests, like version check, but they shouldn't be mandatory.

Could you please record HAR as guided here https://youtrack-support.jetbrains.com/hc/en-us/articles/206546369-When-we-ask-you-to-provide-additional-details-logs-database-HAR-etc-

As for http headers, they are specific for each server, so as demonstrated in following samples https://confluence.jetbrains.com/display/YTD65/Configuring+Proxy .

0
Comment actions Permalink

Hello Andrey,

 

My question about the http headers was more youtrack related, for knowing if youtrack depends on some of those headers or not at all. In Webseal, I can activate many headers, but I wanted to know which ones are mandatory (or not).

 

You will find an HAR recording here : https://www.dropbox.com/s/majr4dro9skwqjg/ci-platform.inprod.ept.lu.har.zip?dl=0 

It seems very strange to me that the _events requests are made at "https://ci-platform.inprod.ept.lu/_events?window_id=17" , and not with the correct base url. Even more strange : I don't understand at the moment how Webseal does it, but the requests to "https://ci-platform.inprod.ept.lu/_events?window_id=17" are correctly forwarded to Youtrack, as I am able to see them in the console log.

 

0
Comment actions Permalink

Hello Andre,

> My question about the http headers was more youtrack related, for knowing if youtrack depends on some of those headers or not at all.

As for HTTP headers, YouTrack needs several of them to be set when installed behind the proxy: X-Forwarded-Host, X-Forwarded-For and X-Forwarded-Proto. 

0
Comment actions Permalink

Hi Evgeny,

Thank you very much for this precious information.

I will test as soon as I can (tomorrow I hope), and will give you feedback about the result.

0
Comment actions Permalink

Hi,

 

Unfortunately, I have given up in trying to keep youtrack behind the webseal reverse proxy.

As the server hosting our small yourtrack instance is only for internal use, we have finally decided to make that server (and the youtrack instance on it) directly accessible, without having to cross webseal's reverse proxy and authentication.

To bad I wasn't able to pinpoint the exact issues, it could have helped adding additional info to the documentationabout "exotic" reverse proxies.

 

Thanks for your support

0

Please sign in to leave a comment.