-1

I'm developing a web app that needs to embed pages from a legacy web app in an iframe, which needs to be recognised as the same origin to allow the page to mess with the iframe contents via javascript.

Since I'm developing on localhost. I therefore need a way to proxy the legacy app to make it also appear on localhost (or at least the same as something hosted locally).

To complicate things just a little, due to decree by the firewall gods which I cannot influence, I cannot access access the publicly available legacy app (which is hosted in the same building), from my development network specifically, unless I ssh tunnel to some random exit point on the public internet and configure chrome to access the legacy app's domain via the resulting local socks proxy. In the production environment, this whole problem won't exist, but for now I've got to work with what I have.

This sounds like something solvable with a certain local nginx configuration, which would present both my locally running web app and the proxied legacy app as the same host, though I'm not sure what this would be called.

Are there other, perhaps simpler solutions I should consider?

Nat
  • 99
  • 3
  • Your question seems self-contradictory, on one hand you say you can't reach the legacy app from your development app directly (without pivoting through some random server on the outside internet) and on the other hand you say it should be solvable by a local nginx configuration, which implies that you can reach the legacy app after all. Can you please clarify? – Per von Zweigbergk Jul 26 '14 at 10:35
  • I mean, if nginx could serve up responses both from the local app, and the legacy app, which it communicates with via the socks proxy. Does that make sense? And make them both appear as the same host. – Nat Jul 26 '14 at 10:38
  • Oh, so you'd set up your SSH tunnel and then want Nginx to serve up your legacy app on a different path, with Nginx accessing it through the SSH tunnel? – Per von Zweigbergk Jul 26 '14 at 10:41
  • Indeed. Is that the kinda thing nginx can do? – Nat Jul 26 '14 at 10:43

1 Answers1

4

Let's split up the problem into two problems.

Reaching the legacy application from your dev environment

Since the firewall admins at your workplace have decided that it should not be possible to reach the legacy app directly from the development network, you have chosen to use an SSH tunnel to work around this.

This is not an approach I'd recommend, but since you said that we should work with what you have, this is what we'll have to do. I'd investigate however if you'd be able to reach the legacy application's web server using the internal IP address rather than the external. The apparent lack of access might just be a result of lack of NAT hairpinning support.

But, if you are simply unable to establish a direct TCP session with the web server, using the SSH trick would work. Rather than using the "dynamic" tunnel approach, where your SSH client pretends to be a SOCKS proxy, you should instead use a static ("local" port) tunnel. Something like localhost:8081 -> [ssh tunnel] -> legacyapp.example.com:80.

Making Nginx serve up the legacy app on the same host as your new app

You need something like a "subdirectory" to stick the legacy app in. What you want to use is the "reverse proxy" functionality, as documented on the Nginx website.

You need to keep in mind also sending the correct Host header if the legacy app is on a virtual host. Sticking something like this in your config ought to be close to what you want:

location /legacyapp/ {
    proxy_set_header Host "legacyapp.example.com";
    proxy_pass http://localhost:8081;
}

Where 8081 is the port number of your SSH tunnel (or if you find another way of reaching the legacy app's web server), and legacyapp.example.com is the hostname of your legacy app.

This would work as long as you keep your SSH tunnel running. Kinda rickety for production, but I guess it'll have to do for a dev setup. :-) Which is why I'd encourage you to poke around and see if you can reach the legacy app from your dev network using its internal IP rather than the external hostname.

Hope this helps.

Per von Zweigbergk
  • 2,625
  • 2
  • 19
  • 28