Payara behind HAProxy with SSL termination endless redirect (302) loop

Technical Discussion
1

I have a nicely working Dataverse service based on Payara deployed in our Docker Swarm but I have difficulties accessing the Payara Admin interface on port 4848 which is accessible in the same container where the actual 8080 service is exposed.

The problem is that I get an infinite loop of HTTP 302 redirects when trying to reach the Payara admin interface which is configured in the HAProxy load balancer just like the backend for the HTTP service.

My suspicion now is that when I access (let’s say) https://admin.payara.institute.org which is then lead by HAProxy to the target container and port 4848, Payara somehow makes an HTTP(not S!) request like http://admin.payara.institute.org and that again is redirected by HAProxy to https://admin.payara.institute.org, which would cause a loop.

I don’t have any better explanation and also no solution so I thought I’ll ask here.

Do you have any ideas?

Here is the debug log from HAProxy when I try to access the Payara admin interface on port 4848. The redirects repeat 20 times and then there is abort.

haproxy-service  | Jul 10 09:10:30 : 11.22.46.11:64037  default be_admin.payara.institute.org/payara-dataverse-1 10/0/1/1/12 302 156 - - ---- 2/2/0/0/0 0/0 {- - - Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537. - admin.payara.institute.org -} {} "GET / HTTP/1.1"
haproxy-service  | Jul 10 09:10:30 : 11.22.46.11:64038  default be_admin.payara.institute.org/payara-dataverse-1 5/0/1/1/7 302 156 - - ---- 2/2/0/0/0 0/0 {- - - Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537. - admin.payara.institute.org -} {} "GET / HTTP/1.1"
haproxy-service  | Jul 10 09:10:30 : 11.22.46.11:64039  default be_admin.payara.institute.org/payara-dataverse-1 4/0/1/1/6 302 156 - - ---- 2/2/0/0/0 0/0 {- - - Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537. - admin.payara.institute.org -} {} "GET / HTTP/1.1"
haproxy-service  | Jul 10 09:10:30 : 11.22.46.11:64040  default be_admin.payara.institute.org/payara-dataverse-1 4/0/1/1/6 302 156 - - ---- 2/2/0/0/0 0/0 {- - - Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537. - admin.payara.institute.org -} {} "GET / HTTP/1.1"
haproxy-service  | Jul 10 09:10:30 : 11.22.46.11:64041  default be_admin.payara.institute.org/payara-dataverse-1 5/0/0/1/6 302 156 - - ---- 2/2/0/0/0 0/0 {- - - Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537. - admin.payara.institute.org -} {} "GET / HTTP/1.1"
haproxy-service  | Jul 10 09:10:30 : 11.22.46.11:64042  default be_admin.payara.institute.org/payara-dataverse-1 5/0/1/1/7 302 156 - - ---- 2/2/0/0/0 0/0 {- - - Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537. - admin.payara.institute.org -} {} "GET / HTTP/1.1"

Edit: just found that 4848 is an HTTPS listener and wondering if that is causing the issue? Payara Server Docker Image Overview :: Payara Community Documentation

2

Hello tamasgal,

The admin console is using HTTP by default (and accessible from localhost only), it needs enabling security (HTTPS): Configuring REST monitoring :: Payara Community Documentation

In case of Docker, the connections is always remote and the security is switched on. So the first question:

Do you use Docker? E.g. are you able to join to any of the machine by https://machine:4848?
I tried the docker version right now and it doesn’t send any http requests.

Petr

3

The more I’m thinking about it – what do you want to achieve by loadbalancing Admin UI? AdminUI serves as configurator of a server, looking into logs, etc.
What about making one server a DAS, e.g. controlling the others and allowing you to access the others?