All;
I got this to work, but let me tell you... OTRS did not want to do this.
Here are the list of things I ended up having to do. For the record, I'm running on CentOS 7, so some of your locations may be different.
On the OTRS Server:
/etc/httpd/conf.d/zzz_otrs.conf:
Swap lines 5 and 6, and change the ScriptAlias from /otrs/ to /
From:
ScriptAlias /otrs/ "/opt/otrs/bin/cgi-bin/"
Alias /otrs-web/ "/opt/otrs/var/httpd/htdocs/"
To:
Alias /otrs-web/ "/opt/otrs/var/httpd/htdocs/"
ScriptAlias / "/opt/otrs/bin/cgi-bin/"
Reasons:
You can't just proxy from / to /otrs/, as the Perl code builds redirects based on its knowledge of the website structure (Specifically the BaseLink variable, a copy of the CGIHandle variable, which in turn is set from the SCRIPT_NAME environment variable). So when you log in to /index.pl, it redirects to /otrs/index.pl. The lines need to be reversed, because I altered the ScriptAlias to override the DocumentRoot, and Alias and ScriptAlias declarations are processed in order. Thus, Apache tries to find static content at /opt/otrs/bin/cgi-bin/opt/otrs/var/httpd/htdocs/ and fails. With the order reversed, Apache properly applies the aliases.
In System Configuration Frontend::Base::ScriptAlias needs to change from /otrs/ to /, to match with the above.
On the Proxy server:
Here's the relevant sections of the /etc/nginx/nginx.conf file:
location /otrs-web/ {
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://<ip address>/otrs-web/;
}
location / {
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://<ip address>$request_uri;
}
I haven't run into any problems yet, but ymmv.
Thank you,
Dominic Hilsbos
Director – Information Technology
Perform Air International Inc.
DHilsbos@PerformAir.com
300 S. Hamilton Pl.
Gilbert, AZ 85233
Phone: (480) 610-3500
Fax: (480) 610-3501
www.PerformAir.com
From: otrs [mailto:otrs-bounces@lists.otrs.org] On Behalf Of David Hess
Sent: Friday, August 31, 2018 6:19 AM
To: otrs@lists.otrs.org
Subject: [Disarmed] Re: [otrs] Proxying OTRS Customer Portal
Hi,
I have been reverse proxying otrs since version 3 behind an apache proxy. We are currently on otrs 5, but i expect similar configurations will still work on 6. And this is for Apache, not nginx, but I am including in case it is helpful.
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES
SSLCertificateFile /etc/pki/tls/certs/companyname.crt
SSLCertificateKeyFile /etc/pki/tls/private/companyname.key
ServerName tickets.companyname.com
ProxyPreserveHost On
RedirectMatch ^/$ https://tickets.companyname.com/otrs/index.pl
ProxyPass /otrs-web/ MailScanner has detected a possible fraud attempt from "1.1.1.1" claiming to be http://1.1.1.1/otrs-web/
ProxyPassReverse /otrs-web/ MailScanner has detected a possible fraud attempt from "1.1.1.1" claiming to be http://1.1.1.1/otrs-web/
ProxyPass /otrs/ MailScanner has detected a possible fraud attempt from "1.1.1.1" claiming to be http://1.1.1.1/otrs/
ProxyPassReverse /otrs/ MailScanner has detected a possible fraud attempt from "1.1.1.1" claiming to be http://1.1.1.1/otrs/
</VirtualHost>
1.1.1.1 would be the lan IP of your otrs server, and tickets.companyname.com would be the public domain name.
In my experience you run into issues if you try to completely get rid of the /otrs/ part of the path, as you need a way to differentiate between /otrs-web/ and /otrs/
but you can rename it with your proxy. Here is a configuration we are using to serve up the public interface of OTRS (specifically the survey module)
ServerName support.companyname.com
ProxyPreserveHost On
RewriteEngine On
RewriteRule ^/survey/([A-Fa-f0-9]+)/?$ /public/?Action=PublicSurvey;PublicSurveyKey=$1 [P,L]
ProxyPass /otrs-web/ MailScanner has detected a possible fraud attempt from "1.1.1.1" claiming to be http://1.1.1.1/otrs-web/
ProxyPassReverse /otrs-web/ MailScanner has detected a possible fraud attempt from "1.1.1.1" claiming to be http://1.1.1.1/otrs-web/
ProxyPass /public/ MailScanner has detected a possible fraud attempt from "1.1.1.1" claiming to be http://1.1.1.1/otrs/public.pl
ProxyPassReverse /public/ MailScanner has detected a possible fraud attempt from "1.1.1.1" claiming to be http://1.1.1.1/otrs/public.pl
SetOutputFilter INFLATE;SUBSTITUTE;DEFLATE
Substitute "s| action=\"/otrs/public.pl\"| action=\"#\"|i"
Substitute "s| Baselink: \"/otrs/public.pl\?\"| Baselink: \"/public/?\"|i"
Substitute "s| CGIHandle: \"/otrs/public.pl\"| CGIHandle: \"/public/\"|i"
</VirtualHost>
This configuration replaces the /otrs/public.pl path with a new /public/ path, effectively hiding the fact that we are running OTRS.
Regards,
David Hess
On Thu, Aug 30, 2018 at 12:26 PM wrote:
All;
I'm going to be setting up a new OTRS 6 instance with the customer portal facing the Internet. For security purposes I will be reverse proxying the customer portal, over HTTPS, using nginx.
The default installation of OTRS has the customer portal at <hostname>/otrs/customer.pl, since I will be reverse proxying anyway, I'd like this to appear at <hostname>/.
Are there any special directives I should include in the nginx reverse proxy configuration to smooth this setup? Has anyone done this before, and would be willing to give me some pointers?
Thank you,
Dominic Hilsbos
Director - Information Technology
Perform Air International Inc.
DHilsbos@PerformAir.com
300 S. Hamilton Pl.
Gilbert, AZ 85233
Phone: (480) 610-3500
Fax: (480) 610-3501
www.PerformAir.com
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/mailman/listinfo/otrs
