Consequently, in order to run LON-CAPA server(s) behind a Web Application Firewall (WAF), or Reverse Proxy, different hostname(s), or alias(es) to the default hostname in /home/httpd/lonTabs/hosts.tab must be requested by users' web browsers when accessing LON-CAPA pages from a domain's server(s) via a WAF.
The "Web Application Firewall/Reverse Proxy" domain configuration is used to indicate if a WAF is in use, and if so, to provide the alias assigned to each LON-CAPA server which will use the WAF. For each one there is also an option to indicate whether a node supporting Single Sign On, will use the alias when redirecting to the URL used to trigger SSO authentication: default is /adm/sso, but can be set in an Apache config file using: PerlSetVar lonOtherAuthenUrl < other URL >
In order for LON-CAPA to reliably determine a remote user's IP address for inclusion in the record of the user's LON-CAPA transactions, a list of IP address(es) which the WAF uses to connect to a domain's servers, i.e., the WAF's Trusted IP range(s) is needed. The name of the header item, added by the WAF when forwarding a request, which contains the user's remote IP address is also needed.
For the item: "Method for determining user's IP", select one of:
If mod_remoteip is in use then the Apache configuration must be modified on each of the domain's LON-CAPA servers to include the following:
where RemoteIPHeader contains the name of the item in the headers sent by the WAF which holds the user's remote IP address, and where RemoteIPTrustedProxy is a space separated list of IP ranges from which the WAF's servers will connect to LON-CAPA.
If mod_remoteip will not be used then the Apache configurations can be left unchanged, but the same information will need to be provided via the "Request header remote IP" textbox and the "Trusted IP range(s)" text area in the WAF/Reverse Proxy domain configuration. If "Not in use" is chosen (not recommended), that information is not required, but the IP address logged will be the address used by the WAF itself when forwarding the user's request to LON-CAPA.
In order for Apache log files to log a user's remote IP address a modification is needed to the LogFormat entry in the appropriate Apache config file(s). If using mod_remoteip prepend %a (or replace %h with %a), otherwise prepend %{X-Forwarded-For}i or replace %h with that string.
If some users in the domain will access LON-CAPA when connected to the campus network via the institution's VPN service, you may optionally choose to allow VPN users to connect to LON-CAPA without using the WAF. A reason for doing that would be to configure LON-CAPA to log the internal IP address assigned to each user's VPN session instead of logging one of the backend IP addresses assigned for campus communication with WAF.
For the item: "Access from institutional VPN", select one of:
If VPN users will not use WAF, but other users will, then the following are needed:
If using WAF select one of: