Closed ghost closed 6 years ago
@gitlab-pano Please, refer to docker documentation.
Docker just recommends setting up a load balancer in front. Are there any changes that would need to be made in order to us a proxy or load balancer?
On Thu, Aug 31, 2017 at 12:05 PM, Natalia Keleberdenko < notifications@github.com> wrote:
@gitlab-pano https://github.com/gitlab-pano Please, refer to docker documentation.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/TIBCOSoftware/js-docker/issues/11#issuecomment-326360389, or mute the thread https://github.com/notifications/unsubscribe-auth/ARA0TE0cc2VrJeieA6mm4Zgss6nLxS1kks5sdufkgaJpZM4O5Q6_ .
-- Laurie Kepford Cloud DevOps Engineer Panoramic Software 760-712-2266
I am trying to get an SSL proxy running in front of jasper. But the tomcat container seems to default to trying to run on 8443 with https even though I have launched with the JRS_HTTPS_ONLY set to False. I made sure the section starting with this:
# Configure tomcat for SSL (optional). Uncomment ENV and RUN to enable generation of
# self-signed certificate and to set up JasperReports Server to use HTTPS only.
Was commented out.
So, I looked at the server.xml and saw this:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
I manually changed it to
<Connector port="8080" protocol="HTTP/1.1"/>
I restarted the container, but I still have the same result. Any attempt to connect to Jasper gets redirected to https on port 8443
Based on your previous post you are running on AWS correct? If that is the case just let the jasper container in port 80 with http and put an ELB in front and do the https listener at the ELB level like the Docker documentation suggests. see: http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html
This would assume that the container actually works on port 80 or preferably 8080. But it does not. It automatically tries to redirect you to https, even if its disabled.
On Mon, Sep 18, 2017 at 5:33 PM, Mariano Luna notifications@github.com wrote:
Based on your previous post you are running on AWS correct? If that is the case just let the jasper container in port 80 with http and put an ELB in front and do the https listener at the ELB level like the Docker documentation suggests. see: http://docs.aws.amazon.com/elasticloadbalancing/latest/ classic/elb-create-https-ssl-load-balancer.html
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/TIBCOSoftware/js-docker/issues/11#issuecomment-330375051, or mute the thread https://github.com/notifications/unsubscribe-auth/ARA0THu-DMBQJou4vMWw6WogC7k5ulEkks5sju-ygaJpZM4O5Q6_ .
-- Laurie Kepford Cloud DevOps Engineer Panoramic Software 760-712-2266
Well its been nearly a month and no response. We have purchased a license but the software is not running. It will not run on port 8080 because something is redirecting it to run on port 8443. I made a correction in the tomcat server.xml file, changing the connector to <Connector port="8080" protocol="HTTP/1.1"/>. It was set to redirect to port 8443. But it still tries to redirect to 8443. then I get this error. Perhaps someone can do a screenshare with me to help me get to the bottom of all of this.
[image: Inline image 1]
On Tue, Sep 19, 2017 at 12:27 PM, Laurie Kepford lkepford@panosoft.com wrote:
This would assume that the container actually works on port 80 or preferably 8080. But it does not. It automatically tries to redirect you to https, even if its disabled.
On Mon, Sep 18, 2017 at 5:33 PM, Mariano Luna notifications@github.com wrote:
Based on your previous post you are running on AWS correct? If that is the case just let the jasper container in port 80 with http and put an ELB in front and do the https listener at the ELB level like the Docker documentation suggests. see: http://docs.aws.amazon.com/elasticloadbalancing/latest/class ic/elb-create-https-ssl-load-balancer.html
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/TIBCOSoftware/js-docker/issues/11#issuecomment-330375051, or mute the thread https://github.com/notifications/unsubscribe-auth/ARA0THu-DMBQJou4vMWw6WogC7k5ulEkks5sju-ygaJpZM4O5Q6_ .
-- Laurie Kepford Cloud DevOps Engineer Panoramic Software 760-712-2266 <(760)%20712-2266>
-- Laurie Kepford Cloud DevOps Engineer Panoramic Software 760-712-2266
When you set JRS_HTTPS_ONLY, the JRS container is going to do exactly that - only respond on 8443, the HTTPS port. This is configured in the JRS webapp web.xml and is updated in the entryPoint.sh.
To get your own certificate in there, have a look at the Dockerfile. There is a commented out section that:
You could replace /root/.keystore with your own and leave the rest of the configuration alone.
And you could change the entryPoint.sh to pull in a keystore when the image starts, rather than embedding the keystore in the image.
Sherman
I have this set in my dockerfile:
ENV JRS_HTTPS_ONLY=false
However there are still two files that I have found so far that seem to direct to https:
Tomcat server.xml <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
And
$CATALINA_HOME/webapps/jasperserver-pro/WEB-INF/js.quartz.properties
Which has this setting: report.scheduler.web.deployment.uri=https://localhost:8443/jasperserver-pro
I found this section in the entrypoint.sh
config_ssl() {
if [[ $JRS_HTTPS_ONLY ]]; then
cd $CATALINA_HOME/webapps/jasperserver-pro/WEB-INF
xmlstarlet ed --inplace \
-N x="http://java.sun.com/xml/ns/j2ee" -u \
"//x:security-constraint/x:user-data-constraint/x:transport-guarantee"\
-v "CONFIDENTIAL" web.xml
sed -i "s/=http:\/\//=https:\/\//g" js.quartz.properties
sed -i "s/${HTTP_PORT:-8080}/${HTTPS_PORT:-8443}/g" js.quartz.properties
fi
I believe it is supposed to make these change on if JRS_HTTPS_ONLY is set to true, but mine is set to false and the setting is still set to https.
On Mon, Oct 16, 2017 at 2:26 PM, Sherman Wood notifications@github.com wrote:
When you set JRS_HTTPS_ONLY, the JRS container is going to do exactly that
- only respond on 8443, the HTTPS port. This is configured in the JRS webapp web.xml and is updated in the entryPoint.sh.
To get your own certificate in there, have a look at the Dockerfile. There is a commented out section that:
- creates a self signed certificate
- puts it in a keystore file in /root/.keystore
- configures Tomcat to use SSL with that keystore
You could replace /root/.keystore with your own and leave the rest of the configuration alone.
And you could change the entryPoint.sh to pull in a keystore when the image starts, rather than embedding the keystore in the image.
Sherman
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/TIBCOSoftware/js-docker/issues/11#issuecomment-337048462, or mute the thread https://github.com/notifications/unsubscribe-auth/ARA0TKRhg3xY3f3YJxZu1r3YI1fvRiO7ks5ss8oEgaJpZM4O5Q6_ .
-- Laurie Kepford Cloud DevOps Engineer Panoramic Software 760-712-2266
Alright! I guess I figured it out. You have to completely omit the ENV JRS_HTTPS_ONLY setting. Setting it to false has no impact. You should document this better. This has cost me many hours of delay trying to get the system to load.
On Mon, Oct 16, 2017 at 2:38 PM, Laurie Kepford lkepford@panosoft.com wrote:
I have this set in my dockerfile:
ENV JRS_HTTPS_ONLY=false
However there are still two files that I have found so far that seem to direct to https:
Tomcat server.xml <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
And
$CATALINA_HOME/webapps/jasperserver-pro/WEB-INF/js.quartz.properties
Which has this setting: report.scheduler.web.deployment.uri=https://localhost:8443/jasperserver- pro
I found this section in the entrypoint.sh
config_ssl() {
If $JRS_HTTPS_ONLY is set in environment to "true", disable HTTP
support
in JasperReports Server.
if [[ $JRS_HTTPS_ONLY ]]; then
cd $CATALINA_HOME/webapps/jasperserver-pro/WEB-INF xmlstarlet ed --inplace \ -N x="http://java.sun.com/xml/ns/j2ee" -u \ "//x:security-constraint/x:user-data-constraint/x:
transport-guarantee"\
-v "CONFIDENTIAL" web.xml sed -i "s/=http:\/\//=https:\/\//g" js.quartz.properties sed -i "s/${HTTP_PORT:-8080}/${HTTPS_PORT:-8443}/g"
js.quartz.properties
fi
I believe it is supposed to make these change on if JRS_HTTPS_ONLY is set to true, but mine is set to false and the setting is still set to https.
On Mon, Oct 16, 2017 at 2:26 PM, Sherman Wood notifications@github.com wrote:
When you set JRS_HTTPS_ONLY, the JRS container is going to do exactly that - only respond on 8443, the HTTPS port. This is configured in the JRS webapp web.xml and is updated in the entryPoint.sh.
To get your own certificate in there, have a look at the Dockerfile. There is a commented out section that:
- creates a self signed certificate
- puts it in a keystore file in /root/.keystore
- configures Tomcat to use SSL with that keystore
You could replace /root/.keystore with your own and leave the rest of the configuration alone.
And you could change the entryPoint.sh to pull in a keystore when the image starts, rather than embedding the keystore in the image.
Sherman
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/TIBCOSoftware/js-docker/issues/11#issuecomment-337048462, or mute the thread https://github.com/notifications/unsubscribe-auth/ARA0TKRhg3xY3f3YJxZu1r3YI1fvRiO7ks5ss8oEgaJpZM4O5Q6_ .
-- Laurie Kepford Cloud DevOps Engineer Panoramic Software 760-712-2266 <(760)%20712-2266>
-- Laurie Kepford Cloud DevOps Engineer Panoramic Software 760-712-2266
@panoramic-machine thank you so much for feedback! I will pass it to the team. I will go ahead and close the issue now.
We have our own wildcard domain certificate. In other dockerized apps I either copy the certificates to a particular place in the Dockerfile. Or I make them available through a mounted volume.
Suppose I had a volume mounted to /app/certificates that contained the certificate.crt and the myserver.key files.
How would I modify the Dockerfile to use these certificates instead of a self-signed certificate?