Health Checks
Health checks should be run against the/ping route instead of simply the base / route.
The base / route will often return a 302 redirect, which many load balancers view as a “down” response.
The /ping route will always return a 200 response.
Headers
When your users access Curator over the reverse proxy, specific “headers” are used to tell Curator how to process the request. X-FORWARDED-FOR : The IP address of the end user. X-FORWARDED-HOST : The host name of the request. Note: A “Forced Domain” in Portal Settings->Security overrides this value. X-FORWARDED-PROTO : Whether to use HTTPS or HTTP for routes.Unable to adjust headers
Often, reverse proxy solutions are missing some or all of these headers. To help configure a reverse proxy with Curator, Apache configuration files can be used. On Windows, thecurator.conf file is a great place for this configuration.
On Linux, /var/www/html/.htaccess, or any of the httpd.conf files can also be utilized.
Forced Domain and SSL
When Curator is behind a reverse proxy or load balancer, the server may not know the public domain name or protocol that users access it through. This can cause Curator to generate links using the server’s internal IP address or server name (e.g.,10.40.243.235/dashboard/...) instead of your domain name, or use http:// instead of
https://.
The Forced Curator Domain setting overrides whatever host Curator detects, including the X-Forwarded-Host
header, and ensures all generated URLs use the specified domain. The Force SSL setting ensures all generated
URLs use https:// instead of http://.
Configuring Forced Domain and Force SSL
- Navigate to Settings > Curator > Portal Settings > General and scroll to the Security section.
- Enter your domain in the Forced Curator Domain field (e.g.,
curator.example.com). Do not includehttps://. - Enable Force SSL to ensure all URLs use HTTPS.
- Save your changes.
This setting also prevents Host Header Injection
attacks. Even if your proxy is sending the correct
X-Forwarded-Host header today, setting a Forced Domain is
recommended as an additional security measure.Disabling via Command Line
If you lose access to the Curator UI after enabling these settings (for example, due to a DNS or SSL misconfiguration), you can disable them from the server’s command line:Troubleshooting
ERR_TOO_MANY_REDIRECTS (redirect loop)
If users seeERR_TOO_MANY_REDIRECTS in the browser (or This page isn't working - redirected you too many times)
after enabling Force SSL, Curator is stuck in a redirect loop with the proxy.
Root cause: Force SSL tells Curator to redirect any request it sees as http:// to https://. When the proxy
terminates SSL but does not forward the X-Forwarded-Proto (or X-Forwarded-SSL) header, Curator only sees the
plain HTTP request from the proxy and issues another redirect to HTTPS. The proxy then sends that redirected
request back to Curator as HTTP again, and the loop repeats until the browser gives up.
Clearing browser cookies does not resolve this — the loop is on the server side.
Recovering access: If you can no longer reach the Curator UI, disable Force SSL from the server command line:
- Configure the proxy to forward
X-Forwarded-Proto: https(andX-Forwarded-SSL: on) on every request it proxies to Curator. See the Headers section above. - Set the Apache environment variables described in the Unable to adjust headers section above so that Curator always treats the request as HTTPS.
- Leave Force SSL disabled and instead enforce HTTPS at the proxy layer (for example, by redirecting all port 80 traffic to port 443 at the proxy).