reverse proxy

[scheiblr]

Hey guys,

first of all thanks for distributing the code for the tool and offering a docker image.
Today I started to touch the docker image, too and tried to incorporate it as a component into my software stack.
After some tries and research I ended up on this page. I wondered if in meantime, there is the possibility to switch off the java ssl feature in order to realize ssl by a sometimes more convenient reverse proxy method. I'm also using an nginx and am trying to realize the reverse proxy. Unfortunately, it won't function without issues.

Kind regards,
Raphael

[tom08zehn]

What are you trying to achieve? Run a HTTPS Listener (which is possible in Mirth but only with commercial plugins)?

We're using traefik (as docker container) wich redirects HTTP to HTTPS and enables Mirth being a HTTPS server.
https://traefik.io

A HTTPS Sender destination works out of the box and even if you need to do a HTTP request using code (not destination sender) you could ignore SSL certificates and completely bypass the whole SSL part.

[tom08zehn]

Hum, OK I also don’t have an idea how to switch off SSL. Technically you could possibly have a HTTP proxy in front of Mirth which then speaks to Mirth using HTTPS.

For the end application and also Mirth launcher/API it would then be a HTTP (non SSL) connection. But not sure how and what proxy/settings to use...

[scheiblr]

thanks, I tried to integrate it that way. Only the landing page worked. Though, the generated URLs inside the application seem to be internally generated and add the https:// again. Further, I had problems to map it to a folder, e.g. localhost/mirth/. I find this very unfortunate, as it is difficult/impossible to include the tool into an existing docker stack using a reverse proxy as I'm trying.

[tonygermano]

If you were having trouble changing the http.contextpath property in 3.10, that's been resolved in 3.11. What is the issue trying to proxy to an https endpoint?

[cturczynskyj]

While we don't recommend it, you can set server.api.allowhttp to true in mirth.properties to allow plain HTTP to be used for API access.

[mochsner]

@cturczynskyj by "API", do you mean the admin settings / Dashboard, or actual Mirth healthcare data?

[petermicuch]

Hi @scheiblr,

not sure if this helps you in any way. Until there is support of talking to Mirth using port 80 without unnecessary redirects or without code modifications (if ever), you can simply forward all traffic to port 8443 or port 443 in case you remapped it in your respective kubernetes service as I did. All you need to do in your reverse proxy is to force HTTPS protocol in your proxypass call. I.e. this nginx ingress example works fine for me and will work also for you, assuming you would have ingress and postgres in your cluster:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: mirth-connect
  labels:
    clinic-app: mirth-connect
spec:
  selector: 
    matchLabels: 
      clinic-app: mirth-connect
  template:
    metadata:
      labels:
        clinic-app: mirth-connect
    spec:
      containers:
      - name: mirth-connect
        image: nextgenhealthcare/connect
        ports:
        - name: https
          containerPort: 8443
        env:
          - name: DATABASE
            value: "postgres"
          - name: DATABASE_URL
            value: jdbc:postgresql://postgres:5432/mirthdb
          - name: DATABASE_USERNAME
            value: postgres
          - name: DATABASE_PASSWORD
            value: postgrespw
          - name: _MP_HTTP_CONTEXTPATH
            value: "/mirth"
---
apiVersion: v1
kind: Service
metadata:
  name: mirth-connect
spec:
  selector:
    clinic-app: mirth-connect
  ports:
    - name: https
      port: 443
      targetPort: 8443
      protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: mirth-connect
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    kubernetes.io/ingress.class: nginx
spec:
  tls:
    - hosts:
        - host.docker.internal
      secretName: vtc-tls-secret
  rules:
    - host: "host.docker.internal"
      http:
        paths:
          - path: "/mirth"
            pathType: Prefix
            backend:
              service:
                name: mirth-connect
                port:
                  number: 443

Please note the line nginx.ingress.kubernetes.io/backend-protocol: "HTTPS". In case you create your reverse proxy configuration for nginx manually without using ingress, just use proxy_pass https://... instead of HTTP protocol. I've tested above in the local Docker Desktop kubernetes cluster.

[petermicuch]

Now I clicked to see all replies to your question above. Suggestion from @cturczynskyj will work fine when you access Mirth server using Mirth Connect Administrator GUI client. However web dashboard will give you only response that The Mirth Connect Web Dashboard must be accessed over HTTPS. even though it is actually accessed over HTTPS that was terminated by the reverse proxy. If that does not bother you and you only need this for access via Administrator GUI, then below is modified template that uses port 80 to access Mirth.

@cturczynskyj - why are you guys forcing this https protocol towards the server? In the microservice architecture, you will most likely host the service inside some cluster where communication is secured and shielded from outside using reverse-proxy, to only expose services that you would like to expose. In that case, TLS termination is done by the reverse-proxy and not by each and every exposed micro service and might also be protected by better (shorter lived) certificates unlike in case of the build-in certificate that you guys are using.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: mirth-connect
  labels:
    clinic-app: mirth-connect
spec:
  selector: 
    matchLabels: 
      clinic-app: mirth-connect
  template:
    metadata:
      labels:
        clinic-app: mirth-connect
    spec:
      containers:
      - name: mirth-connect
        image: nextgenhealthcare/connect
        ports:
        - name: https
          containerPort: 8443
        - name: http
          containerPort: 8080
        env:
          - name: DATABASE
            value: "postgres"
          - name: DATABASE_URL
            value: jdbc:postgresql://postgres:5432/mirthdb
          - name: DATABASE_USERNAME
            value: postgres
          - name: DATABASE_PASSWORD
            value: postgrespw
          - name: _MP_HTTP_CONTEXTPATH
            value: "/mirth"
          - name: _MP_SERVER_API_ALLOWHTTP
            value: "true"
---
apiVersion: v1
kind: Service
metadata:
  name: mirth-connect
spec:
  selector:
    clinic-app: mirth-connect
  ports:
    - name: https
      port: 443
      targetPort: 8443
      protocol: TCP
    - name: http
      port: 80
      targetPort: 8080
      protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: mirth-connect
  annotations:
    kubernetes.io/ingress.class: nginx
spec:
  tls:
    - hosts:
        - host.docker.internal
      secretName: vtc-tls-secret
  rules:
    - host: "host.docker.internal"
      http:
        paths:
          - path: "/mirth"
            pathType: Prefix
            backend:
              service:
                name: mirth-connect
                port:
                  number: 80