Mojolicious url_for operation insecure in webservice

Question

I am trying to return content with a web service. Behind an apache proxy if fails with "Operation insecure".

I read about adding an apache hook but it won't work for me. Setting the environment variable neither. This is what I tried: how to make Mojolicious's url_for()->to_abs() return correct scheme (http or https) behind nginx

Maybe or webservice I have to do something else ? Also I use mojolicious lite.

Also the url_for is done in the template file .html.ep. I use it to call the web service from javascript.

I run Mojolicious 7.59 on Ubuntu 18.04. Thank you for you help

Answer 1

I solved it this way: the apache proxy must have some specific settings and also the mojo app must be in reverse proxy mode.

Apache Settings

Apache must know how to proxy the web services and it must tell mojo about the forwarding protocol.

• I put all my webservices under the /ws/ and I added it to ProxyPass
• My mojo app is at the same host at port 8080 so I proxy to localhost:8080.
• It is very important to set the X-Forwarded-Proto

At /etc/apache2/sites-enabled/default-ssl.conf I changed this way:

<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass /ws/ ws://localhost:8080/ws/ keepalive=On
    ProxyPass / http://localhost:8080/ keepalive=On
    ProxyPassReverse / http://localhost:8081/
    RequestHeader set X-Forwarded-Proto "https"

Mojo Proxy

The mojolicious app must know it is in reverse proxy. If you are using hypnotoad it may not be necessary. When I did some tests with morbo I had to run it this way:

MOJO_REVERSE_PROXY=1 morbo script.pl

There is more documentation at https://mojolicious.org/perldoc/Mojolicious/Guides/Cookbook#Reverse-proxy