help logoLON-CAPA Help


A LON-CAPA server requires a static IP address, and the hostname included in the hosts.tab entry for the server should resolve to that IP address. If the server is part of the LON-CAPA network, the server will need to support connections from other servers for both "internal" communication via the dedicated LON-CAPA port as well as requests to standard web ports when replicating content.

Consequently, in order to run LON-CAPA server(s) behind a Web Application Firewall (WAF), or Reverse Proxy, different hostname(s), or alias(es) to the default hostname in /home/httpd/lonTabs/hosts.tab must be requested by users' web browsers when accessing LON-CAPA pages from a domain's server(s) via a WAF.

  1. Alias for WAF/Reverse Proxy

    The "Web Application Firewall/Reverse Proxy" domain configuration is used to indicate if a WAF is in use, and if so, to provide the alias assigned to each LON-CAPA server which will use the WAF. For each one there is also an option to indicate whether a node supporting Single Sign On, will use the alias when redirecting to the URL used to trigger SSO authentication: default is /adm/sso, but can be set in an Apache config file using: PerlSetVar lonOtherAuthenUrl < other URL >

  2. Determining a user's remote IP address

    In order for LON-CAPA to reliably determine a remote user's IP address for inclusion in the record of the user's LON-CAPA transactions, a list of IP address(es) which the WAF uses to connect to a domain's servers, i.e., the WAF's Trusted IP range(s) is needed. The name of the header item, added by the WAF when forwarding a request, which contains the user's remote IP address is also needed.

    For the item: "Method for determining user's IP", select one of:

    If mod_remoteip is in use then the Apache configuration must be modified on each of the domain's LON-CAPA servers to include the following:

    where RemoteIPHeader contains the name of the item in the headers sent by the WAF which holds the user's remote IP address, and where RemoteIPTrustedProxy is a space separated list of IP ranges from which the WAF's servers will connect to LON-CAPA.

    If mod_remoteip will not be used then the Apache configurations can be left unchanged, but the same information will need to be provided via the "Request header remote IP" textbox and the "Trusted IP range(s)" text area in the WAF/Reverse Proxy domain configuration. If "Not in use" is chosen (not recommended), that information is not required, but the IP address logged will be the address used by the WAF itself when forwarding the user's request to LON-CAPA.

  3. Apache log file format

    In order for Apache log files to log a user's remote IP address a modification is needed to the LogFormat entry in the appropriate Apache config file(s). If using mod_remoteip prepend %a (or replace %h with %a), otherwise prepend %{X-Forwarded-For}i or replace %h with that string.

  4. Access for VPN users

    If some users in the domain will access LON-CAPA when connected to the campus network via the institution's VPN service, you may optionally choose to allow VPN users to connect to LON-CAPA without using the WAF. A reason for doing that would be to configure LON-CAPA to log the internal IP address assigned to each user's VPN session instead of logging one of the backend IP addresses assigned for campus communication with WAF.

    For the item: "Access from institutional VPN", select one of:

    If VPN users will not use WAF, but other users will, then the following are needed:

  5. Forwarding http and https requests

    If using WAF select one of: