Server behind a proxy => the designer cannot connect

Hardware
1

Hello,

The virtual machine has access to the Internet, the platform can be accessed from the Internet, but it cannot connect to the designer

error is:
“Currently, Designer application is available at https://designer.mysurvey.solutions, this address is accessed every time an HQ-user is trying to import a questionnaire to the server.
Please make sure that this URL is reachable from the server that is hosting the Headquarters app”

We use a server, behind a proxy, with the following specifications:

  • Ubuntu 22
  • Kubernetes or Docker
  • Survey Solutions v22.12.2.33795

The Survey Solutions platform does not reach the proxy server, what settings need to be implemented?

Kind regards

2

What is the error you are getting when connecting to the Designer from the browser in your VM?

3

In browser the error is

“Currently, Designer application is available at https://designer.mysurvey.solutions, this address is accessed every time an HQ-user is trying to import a questionnaire to the server.
Please make sure that this URL is reachable from the server that is hosting the Headquarters app”

In logs I found this

{“@t”:“2023-03-21T09:44:49.4741645Z”,“@m”:“Executing job "AssignmentsVerificationJob" in workspace "primary"”,“@i”:“9ce5471c”,“@l”:“Debug”,“jobType”:“AssignmentsVerificationJob”,“workspace”:“primary”,“SourceContext”:“WB.Core.BoundedContexts.Headquarters.QuartzIntegration.AsyncScopedJobDecorator”,“Environment”:“Production”,“Version”:“22.12.2.33795”,“VersionInfo”:“22.12.2 (build 33795)”,“AppType”:“Headquarters”}
{“@t”:“2023-03-21T09:44:49.4784697Z”,“@m”:“Executing job "AssignmentsVerificationJob" in workspace "cnif2023"”,“@i”:“9ce5471c”,“@l”:“Debug”,“jobType”:“AssignmentsVerificationJob”,“workspace”:“cnif2023”,“SourceContext”:“WB.Core.BoundedContexts.Headquarters.QuartzIntegration.AsyncScopedJobDecorator”,“Environment”:“Production”,“Version”:“22.12.2.33795”,“VersionInfo”:“22.12.2 (build 33795)”,“AppType”:“Headquarters”}

{“@t”:“2023-03-21T09:44:41.4488301Z”,“@m”:“Executing job "AssignmentsImportJob" in workspace "primary"”,“@i”:“9ce5471c”,“@l”:“Debug”,“jobType”:“AssignmentsImportJob”,“workspace”:“primary”,“SourceContext”:“WB.Core.BoundedContexts.Headquarters.QuartzIntegration.AsyncScopedJobDecorator”,“Environment”:“Production”,“Version”:“22.12.2.33795”,“VersionInfo”:“22.12.2 (build 33795)”,“AppType”:“Headquarters”}
{“@t”:“2023-03-21T09:44:41.4532032Z”,“@m”:“Executing job "AssignmentsImportJob" in workspace "cnif2023"”,“@i”:“9ce5471c”,“@l”:“Debug”,“jobType”:“AssignmentsImportJob”,“workspace”:“cnif2023”,“SourceContext”:“WB.Core.BoundedContexts.Headquarters.QuartzIntegration.AsyncScopedJobDecorator”,“Environment”:“Production”,“Version”:“22.12.2.33795”,“VersionInfo”:“22.12.2 (build 33795)”,“AppType”:“Headquarters”}

Where I can implement the settings for the proxy server?

4

@alecsamoila

This is not what I meant.

What do you get in the browser when you access the Designer site from your server?

image
image954×835 164 KB

5

The message in browser is

Could not connect to Designer. Please check if Designer is available and try [again]
(https://surveyname.ro/primary/Template/Import)

image
image1023×480 14.5 KB

6

Dear @alecsamoila ,
I believe @sergiy is asking you to do the following:

  1. Login to your server (not Survey Solutions) as a normal user.
  2. Open a browser.
  3. Type designer.mysurvey.solutions into browser address bar and press ENTER.
  4. Send us what you get.
7

Dear sir,

I can access the virtual machine only via SSH, so i used curl command

From virtual machine without --insecure parameter

[root@doker-test-11 /]# curl -x http://10.ip.proxy.10:8080 https://designer.mysurvey.solutions -v

  • About to connect() to proxy 10.ip.proxy.10 port 8080 (#0)
  • Trying 10.ip.proxy.10…
  • Connected to 10.ip.proxy.10 (10.ip.proxy.10) port 8080 (#0)
  • Establish HTTP proxy tunnel to designer.mysurvey.solutions:443

CONNECT designer.mysurvey.solutions:443 HTTP/1.1
Host: designer.mysurvey.solutions:443
User-Agent: curl/7.29.0
Proxy-Connection: Keep-Alive

< HTTP/1.1 200 Connection established
<

  • Proxy replied OK to CONNECT request
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • Server certificate:
  •   subject: CN=*.mysurvey.solutions,O=World Bank Group,ST=District of Columbia,C=US

  •   start date: Jun 08 00:00:00 2022 GMT

  •   expire date: Jun 08 23:59:59 2023 GMT

  •   common name: *.mysurvey.solutions

  •   issuer: E=mail@domain.com,CN=proxy.proxy.proxy,OU=INSTITUTE,O=GOV Country,L=Bucuresti,ST=Bucuresti,C=RO
  • NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
  • Peer’s Certificate issuer is not recognized.
  • Closing connection 0
    curl: (60) Peer’s Certificate issuer is not recognized.
    More details here: curl - SSL CA Certificates

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.

From Kubernetes without --insecure parameter

root@survey-dep-f6785d7cd-4j69n:/app# curl -x http://10.ip.proxy.10:8080 https://designer.mysurvey.solutions -v

  • Trying 10.ip.proxy.10:8080…
  • Connected to 10.ip.proxy.10 (10.ip.proxy.10) port 8080 (#0)
  • allocate connect buffer!
  • Establish HTTP proxy tunnel to designer.mysurvey.solutions:443

CONNECT designer.mysurvey.solutions:443 HTTP/1.1
Host: designer.mysurvey.solutions:443
User-Agent: curl/7.74.0
Proxy-Connection: Keep-Alive

< HTTP/1.1 200 Connection established
<

  • Proxy replied 200 to CONNECT request
  • CONNECT phase completed!
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • CONNECT phase completed!
  • CONNECT phase completed!
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (OUT), TLS alert, unknown CA (560):
  • SSL certificate problem: unable to get local issuer certificate
  • Closing connection 0
    curl: (60) SSL certificate problem: unable to get local issuer certificate
    More details here: curl - SSL CA Certificates

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above

From virtaul machine with --insecure parameter

[root@doker-test-11 surveySolutions]# curl -x http://10.ip.proxy.10:8080 https://designer.mysurvey.solutions --insecure -v

  • About to connect() to proxy 10.ip.proxy.10 port 8080 (#0)
  • Trying 10.ip.proxy.10…
  • Connected to 10.ip.proxy.10 (10.ip.proxy.10) port 8080 (#0)
  • Establish HTTP proxy tunnel to designer.mysurvey.solutions:443

CONNECT designer.mysurvey.solutions:443 HTTP/1.1
Host: designer.mysurvey.solutions:443
User-Agent: curl/7.29.0
Proxy-Connection: Keep-Alive

< HTTP/1.1 200 Connection established
<

  • Proxy replied OK to CONNECT request
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • skipping SSL peer certificate verification
  • SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • Server certificate:
  •   subject: CN=*.mysurvey.solutions,O=World Bank Group,ST=District of Columbia,C=US

  •   start date: Jun 08 00:00:00 2022 GMT

  •   expire date: Jun 08 23:59:59 2023 GMT

  •   common name: *.mysurvey.solutions

  •   issuer: E=mail@domain.com,CN=proxy.proxy.proxy,OU=INSTITUTE,O=GOV Country,L=Bucuresti,ST=Bucuresti,C=RO

GET / HTTP/1.1
User-Agent: curl/7.29.0
Host: designer.mysurvey.solutions
Accept: /

< HTTP/1.1 302 Found
< Location: https://designer.mysurvey.solutions/Identity/Account/Login?ReturnUrl=%2F
< Server: Microsoft-IIS/10.0
< X-Powered-By: ASP.NET
< Date: Tue, 21 Mar 2023 10:24:56 GMT
< Transfer-Encoding: chunked
< Via: 1.1 proxy2.proxy2.com:80 (Cisco-WSA/14.5.0-537)
< Connection: keep-alive
<

  • Connection #0 to host 10.ip.proxy.10 left intact

From Kubernetes with --insecure parameter

root@survey-dep-5d7896597d-rgc4m:/app# curl -x http://10.ip.proxy.10:8080 https://designer.mysurvey.solutions --insecure -v

  • Trying 10.ip.proxy.10:8080…
  • Connected to 10.ip.proxy.10 (10.ip.proxy.10) port 8080 (#0)
  • allocate connect buffer!
  • Establish HTTP proxy tunnel to designer.mysurvey.solutions:443

CONNECT designer.mysurvey.solutions:443 HTTP/1.1
Host: designer.mysurvey.solutions:443
User-Agent: curl/7.74.0
Proxy-Connection: Keep-Alive

< HTTP/1.1 200 Connection established
<

  • Proxy replied 200 to CONNECT request
  • CONNECT phase completed!
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • CONNECT phase completed!
  • CONNECT phase completed!
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  • ALPN, server accepted to use http/1.1
  • Server certificate:
  • subject: C=US; ST=District of Columbia; O=World Bank Group; CN=*.mysurvey.solutions
  • start date: Jun 8 00:00:00 2022 GMT
  • expire date: Jun 8 23:59:59 2023 GMT
  • issuer: C=RO; ST=Bucuresti; L=Bucuresti; O=GOV Country; OU=INSTITUTE; CN=proxy.proxy.proxy; emailAddress=mail@domain.com
  • SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

GET / HTTP/1.1
Host: designer.mysurvey.solutions
User-Agent: curl/7.74.0
Accept: /

8
  1. See if this will help:
    Getting an error "curl: (60) Peer certificate cannot be authenticated with known CA certificates" when trying to curl a site that has a VALID SSL certificate - Red Hat Customer Portal

If this is not applicable to your OS, see an equivalent procedure for updating certificates store for your OS.

  1. If you update the certificates store and this doesn’t help, try to bypass the proxy, to see if it is connecting fine. If so, investigate with the proxy’s owner on whether it does any transformation of the HTTPS traffic and how to regulate such intrusions.
9

Dear Sir,

I solved the problem with a parameter that exports https_proxy to an http proxy address and the server can connect to the designer without problems.

But now I encounter the following problem
In the Diagnostics page, I receive the following alert

" Web socket connectivity

  • [2023-05-16 11:16:26] Building connection to server using `/signalrdiag` url*

  • [2023-05-16 11:16:56] Failed to invoke server method with error: Error: Server timeout elapsed without receiving a message from the server.* "

When I want to assign a questionnaire after 30 seconds of loading, I receive an error → Error: Server timeout elapsed without receiving a message from the server.

image
image2326×660 28.1 KB

I read this topic Error Message: "Server timeout elapsed without receiving a message from the server" and the page https://docs.mysurvey .solutions/headquarters/config/healthcheck/ I understood the working mechanism, but how can I fix the problem?

10

Try the instructions from Microsoft as shown on their page:

WebSocket <webSocket> | Microsoft Learn

11

Dear Sir,

Do you have a similar tutorial for Ubuntu Linux? our server runs in Docker