search

OSC / ood-ansible

An ansible role for Open Ondemand
MIT License
30 stars 31 forks source link

support for multiple server names in `ood-portal.conf.j2` #191

Closed ltalirz closed 1 year ago

ltalirz commented 1 year ago

This is a minor feature request for a scenario that comes up when deploying HPC clusters in cloud environments for corporations

For this to work, as of today the domain name (or the private IP address) on both sides needs to match, since the templating of the apache configuration file only supports one server name.

It would probably not be too difficult to extend the role to support a list of server names. I copy below a comment that may have been for a previous version of this role (and perhaps somewhat specific to use in AZ-HOP); but the basic idea still applies

=====

For the HTTP=>HTTPS redirect rule in /opt/rh/httpd24/root/etc/httpd/conf.d/ood-portal.conf, the generic solution is simple:

<VirtualHost *:80>
  RewriteEngine On
  RewriteRule ^(.*) https://%{HTTP_HOST}$1 [R=301,NE,L]
</VirtualHost>

For the SSL hosts it is a little more involved since the FQDN appears in many places. Also, the fact that different FQDNs will have different certificates means there is no similarly generic solution (some work will need to be done per domain in order to create the certificates).

The easiest way to handle this in the config file is probably using mod_macro, something like (untested)

<Macro VHost $domain>
<VirtualHost *:443>
  ServerName $domain
  ServerAlias www.$domain

  ErrorLog  "/var/log/httpd24/$domain_error_ssl.log"
  CustomLog "/var/log/httpd24/$domain_access_ssl.log" combined

  RewriteEngine On
  RewriteCond %{HTTP_HOST} !^$domain(:443)?$ [NC]
  RewriteRule ^(.*) https://$domain$1 [R=301,NE,L]

  # Support maintenance page during outages of OnDemand
  RewriteEngine On
  RewriteCond /var/www/ood/public/maintenance/index.html -f
  RewriteCond /etc/ood/maintenance.enable -f
  RewriteCond %{REQUEST_URI} !/public/maintenance/.*$
  RewriteRule ^.*$ /public/maintenance/index.html [R=302,L]

  Header always set Content-Security-Policy "frame-ancestors https://$domain;"
  Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

  SSLEngine On
  SSLCertificateFile "/etc/ssl/$domain/$domain.crt"
  SSLCertificateKeyFile "/etc/ssl/$domain/$domain.key"
</VirtualHost>
</Macro>

You can then simply have one line per FQDN in the config file

Use VHost example.com
Use VHost 10.92.4.3
johrstrom commented 1 year ago

We deprecated the use of ood-portal.conf.j2. It's just too much to maintain both that and ood_portal.yml.j2 which the proper OnDemand libraries use to make the actual conf file. So, we should be using values in ood_portal.yml and let OnDemand generate the apache config file.

https://github.com/OSC/ood-ansible/issues/128

That said - 3.0 did ship with server_aliases (which I'm now seeing we didn't document). Would this solve your issue?

https://github.com/OSC/ondemand/blob/133b879d381a037f01bcc7a4373c71608c980dc1/ood-portal-generator/share/ood_portal_example.yml#L18-L22

If it doesn't let me know as I would like to enable this upstream in OnDemand itself and forgo ood_portal.conf.j2 templating.

johrstrom commented 1 year ago

We have support for server_aliases here, but there appears to be a bug in it (it's using maintenance_ip_allowlist instead).

https://github.com/OSC/ood-ansible/blob/45e34608cc64ac8f3525afd417859b55a99f9351/templates/ood_portal.yml.j2#L23-L34

ltalirz commented 1 year ago

Hi @johrstrom , thank you very much for the quick reply!

That said - 3.0 did ship with server_aliases (which I'm now seeing we didn't document). Would this solve your issue?

https://github.com/OSC/ondemand/blob/133b879d381a037f01bcc7a4373c71608c980dc1/ood-portal-generator/share/ood_portal_example.yml#L18-L22

That is great news, thank you! Indeed, that will solve the issue once we upgrade

@xpillons @matt-chan

johrstrom commented 1 year ago

Thanks! I'll fix the bug in this role's support for server_aliases today.