search

bugy / script-server

Web UI for your scripts with execution management
Other
1.57k stars 248 forks source link

Help with Reverse proxy + Scripts execution. #549

Closed jack99trade closed 2 years ago

jack99trade commented 2 years ago

Hi ,

I have been playing with script-server and wanted to design something like this:- this is a one machine setup

User opens URL > Apache reverse proxy (setup as Kerberos SSO ) port 443 > Request is proxied to Script server port 5000

users gets the page of script server. admin user is able to create scripts. Problem: - scripts are not getting executed there is an error in logs

error message :- [script_server.execution_service.WARNING] Prohibited access to not owned execution 6 (user=(null)) Note:- I can verify that under script history section, username is getting logged properly.

my conf.json

########################################### { "port": 5000, "address": "192.168.1.10", "title": "Script Server", "access": { "allowed_users": [ "*" ], "admin_users": [ "admin" ], "trusted_ips": [ "127.0.0.1", "192.168.1.10" ], "user_header_name": "X-Forwarded-User" }, "logging": { "execution_file": "$DATE-$ID.log", "execution_dateformat": "%y-%m-%d%H-%M" }, "security": { "xsrf_protection": "token" } } ################################################

Logs from script server ################################################ 2022-04-08 12:15:49,720 [tornado.access.INFO] 200 GET /executions/status/4 (192.168.1.10) 0.75ms 2022-04-08 12:15:50,957 [tornado.access.INFO] 101 GET /scripts/TESTSCRIPT?initWithValues=false (192.168.1.10) 0.65ms 2022-04-08 12:15:54,820 [tornado.access.INFO] 101 GET /scripts/TESTSCRIPT?initWithValues=false (192.168.1.10) 1.12ms 2022-04-08 12:15:56,845 [web_server.INFO] Calling script TESTSCRIPT. User {'auth_username': 'admin', 'proxied_ip': '127.0.0.1', 'proxied_hostname': 'localhost', 'ip': '192.168.1.10', 'hostname': 'apacheproxy'} 2022-04-08 12:15:56,846 [script_server.execution_service.INFO] Calling script #5: /usr/bin/sh /usr/project/bin/TESTSCRIPT 2022-04-08 12:15:56,851 [tornado.access.INFO] 200 POST /executions/start (192.168.1.10) 6.91ms 2022-04-08 12:15:56,879 [tornado.access.INFO] 101 GET /executions/io/5 (192.168.1.10) 1.25ms 2022-04-08 12:15:56,880 [script_server.execution_service.WARNING] Prohibited access to not owned execution #5 (user=(null)) 2022-04-08 12:15:56,889 [web_server.INFO] (null) disconnected 2022-04-08 12:15:56,892 [tornado.access.INFO] 200 GET /executions/status/5 (192.168.1.10) 1.61ms 2022-04-08 12:16:16,069 [tornado.access.INFO] 302 GET / (192.168.1.10) 0.48ms 2022-04-08 12:16:16,070 [tornado.access.INFO] 101 GET /scripts/TESTSCRIPT?initWithValues=false (192.168.1.10) 0.70ms 2022-04-08 12:16:16,127 [tornado.access.INFO] 200 GET /theme/theme.css (192.168.1.10) 0.49ms 2022-04-08 12:16:16,223 [tornado.access.INFO] 304 GET /conf (192.168.1.10) 0.77ms 2022-04-08 12:16:16,224 [tornado.access.INFO] 304 GET /auth/info (192.168.1.10) 0.72ms 2022-04-08 12:16:16,226 [tornado.access.INFO] 200 GET /scripts (192.168.1.10) 1.27ms 2022-04-08 12:16:16,227 [tornado.access.INFO] 200 GET /executions/active (192.168.1.10) 0.59ms 2022-04-08 12:16:16,258 [tornado.access.INFO] 200 GET /executions/config/5 (192.168.1.10) 0.69ms 2022-04-08 12:16:16,260 [tornado.access.INFO] 200 GET /executions/config/4 (192.168.1.10) 0.57ms 2022-04-08 12:16:16,277 [tornado.access.INFO] 101 GET /executions/io/5 (192.168.1.10) 0.56ms 2022-04-08 12:16:16,278 [script_server.execution_service.WARNING] Prohibited access to not owned execution #5 (user=(null)) 2022-04-08 12:16:16,284 [web_server.INFO] (null) disconnected 2022-04-08 12:16:16,291 [tornado.access.INFO] 101 GET /executions/io/4 (192.168.1.10) 0.46ms 2022-04-08 12:16:16,291 [script_server.execution_service.WARNING] Prohibited access to not owned execution #4 (user=(null)) 2022-04-08 12:16:16,292 [web_server.INFO] (null) disconnected 2022-04-08 12:16:16,293 [tornado.access.INFO] 200 GET /executions/status/5 (192.168.1.10) 0.47ms 2022-04-08 12:16:16,303 [tornado.access.INFO] 304 GET /executions/status/4 (192.168.1.10) 0.60ms 2022-04-08 12:16:17,687 [tornado.access.INFO] 101 GET /scripts/Ansible?initWithValues=false (192.168.1.10) 0.60ms 2022-04-08 12:17:46,745 [tornado.access.INFO] 101 GET /scripts/TESTSCRIPT?initWithValues=false (192.168.1.10) 0.70ms 2022-04-08 12:17:46,760 [tornado.access.INFO] 200 POST /executions/cleanup/4 (192.168.1.10) 0.72ms 2022-04-08 12:17:50,596 [tornado.access.INFO] 101 GET /scripts/TESTSCRIPT?initWithValues=false (192.168.1.10) 1.11ms 2022-04-08 12:17:51,728 [tornado.access.INFO] 101 GET /scripts/Ansible?initWithValues=false (192.168.1.10) 1.20ms 2022-04-08 12:17:55,067 [web_server.INFO] Calling script Ansible. User {'auth_username': 'admin', 'proxied_ip': '127.0.0.1', 'proxied_hostname': 'localhost', 'ip': '192.168.1.10', 'hostname': 'apacheproxy'} 2022-04-08 12:17:55,068 [script_server.execution_service.INFO] Calling script #6: /bin/ansible-playbook /opt/project/Ansible/Test.yml 2022-04-08 12:17:55,074 [tornado.access.INFO] 200 POST /executions/start (192.168.1.10) 11.08ms 2022-04-08 12:17:55,088 [tornado.access.INFO] 101 GET /executions/io/6 (192.168.1.10) 0.69ms 2022-04-08 12:17:55,089 [script_server.execution_service.WARNING] Prohibited access to not owned execution #6 (user=(null)) 2022-04-08 12:17:55,096 [web_server.INFO] (null) disconnected 2022-04-08 12:17:55,107 [tornado.access.INFO] 200 GET /executions/status/6 (192.168.1.10) 0.70ms ##################################################################################################

bugy commented 2 years ago

Hi @jack99trade it looks like, the proxy is not passing authentication information for websockets. Unfortunately, I don't know anything about Kerberos SSO and your apache config, so I cannot advise what to change exactly.

jack99trade commented 2 years ago

Hi @jack99trade it looks like, the proxy is not passing authentication information for websockets. Unfortunately, I don't know anything about Kerberos SSO and your apache config, so I cannot advise what to change exactly.

Hi @bugy below is my config on Apache :-

################################### <Location /local-server/> AuthType Kerberos AuthName "Kerberos Login" KrbServiceName HTTP KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthRealms LOCAL.INTERNAL KrbSaveCredentials On KrbVerifyKDC Off KrbLocalUserMapping on Krb5Keytab /etc/apache2/apache2.keytab require valid-user ProxyPass http://192.168.1.10:5000/ ProxyPassReverse http://192.168.1.10:5000/ RequestHeader set Origin http://192.168.1.10:5000/ RewriteEngine On RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC] RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC] RewriteRule /(.) ws:/$1 [P,NE] RewriteCond %{REMOTE_USER} ^(.)$ RewriteRule ^(.*)$ - [E=R_U:%1] RequestHeader set X-Forwarded-User %{R_U}e

#############################################

bugy commented 2 years ago

Could you test it with a simple htpasswd authentication (in apache proxy) and see if it would work? So we would know whether we should adjust Kerberos or Apache config

jack99trade commented 2 years ago

Could you test it with a simple htpasswd authentication (in apache proxy) and see if it would work? So we would know whether we should adjust Kerberos or Apache config

So i created new config for basic auth:- created one account : testuser ####################################### <Location /local-server/> AuthType Basic AuthName "Restricted Content" AuthUserFile /etc/apache2/.htpasswd require valid-user ProxyPass http://192.168.1.10:5000/ ProxyPassReverse http://192.168.1.10:5000/ RequestHeader set Origin http://192.168.1.10:5000/ RewriteEngine On RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC] RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC] RewriteRule /(.) ws:/$1 [P,NE] RewriteCond %{REMOTE_USER} ^(.)$ RewriteRule ^(.*)$ - [E=R_U:%1] RequestHeader set X-Forwarded-User %{R_U}e ##################################

logs on script server:- ############################################################################ 2022-04-08 21:00:52,696 [tornado.access.INFO] 101 GET /scripts/TESTSCRIPT?initWithValues=false (192.168.1.10) 0.77ms 2022-04-08 21:00:55,236 [web_server.INFO] Calling script TESTSCRIPT. User {'auth_username': 'testuser', 'proxied_username': 'testuser', 'proxied_ip': '127.0.0.1', 'proxied_hostname': 'localhost', 'ip': '192.168.1.10', 'hostname': 'apacheproxy'} 2022-04-08 21:00:55,237 [script_server.execution_service.INFO] Calling script #7: /usr/bin/sh /usr/project/bin/script 2022-04-08 21:00:55,243 [tornado.access.INFO] 200 POST /executions/start (192.168.1.10) 10.12ms 2022-04-08 21:00:55,245 [tornado.access.INFO] 200 GET /fonts/MaterialIcons-Regular.570eb838.woff2 (192.168.1.10) 1.36ms 2022-04-08 21:00:55,260 [tornado.access.INFO] 101 GET /executions/io/7 (192.168.1.10) 2.14ms 2022-04-08 21:00:55,261 [script_server.execution_service.WARNING] Prohibited access to not owned execution #7 (user=(null)) 2022-04-08 21:00:55,271 [web_server.INFO] (null) disconnected 2022-04-08 21:00:55,277 [tornado.access.INFO] 200 GET /executions/status/7 (192.168.1.10) 1.13ms 2022-04-08 21:01:04,393 [tornado.access.INFO] 101 GET /scripts/Ansible?initWithValues=false (192.168.1.10) 0.90ms 2022-04-08 21:01:08,195 [web_server.INFO] Calling script Ansible. User {'auth_username': 'testuser', 'proxied_username': 'testuser', 'proxied_ip': '127.0.0.1', 'proxied_hostname': 'localhost', 'ip': '192.168.1.10', 'hostname': 'apacheproxy'} 2022-04-08 21:01:08,197 [script_server.execution_service.INFO] Calling script #8: /bin/ansible-playbook /opt/project/Ansible/Test.yml 2022-04-08 21:01:08,219 [tornado.access.INFO] 200 POST /executions/start (192.168.1.10) 28.15ms 2022-04-08 21:01:08,242 [tornado.access.INFO] 101 GET /executions/io/8 (192.168.1.10) 0.76ms 2022-04-08 21:01:08,244 [script_server.execution_service.WARNING] Prohibited access to not owned execution #8 (user=(null)) 2022-04-08 21:01:08,277 [web_server.INFO] (null) disconnected 2022-04-08 21:01:08,300 [tornado.access.INFO] 200 GET /executions/status/8 (192.168.1.10) 5.32ms ############################################################################

its same error for basic auth also.

jack99trade commented 2 years ago

Hi @bugy i rearranged my apache config and it is now working, for both basic and Kerberos:- ############################ ProxyPass http://192.168.1.10:5000/ ProxyPassReverse http://192.168.1.10:5000/ RequestHeader set Origin http://192.168.1.10:5000/

RewriteEngine On RewriteCond %{REMOTE_USER} ^(.)$ RewriteRule ^(.)$ - [E=R_U:%1] RequestHeader set X-Forwarded-User %{R_U}e

RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC] RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC] RewriteRule /(.*) ws:/$1 [P,NE] #############################

bugy commented 2 years ago

Happy to hear that!

jack99trade @.***> schrieb am Fr., 8. Apr. 2022, 18:28:

Hi @bugy https://github.com/bugy i rearranged my apache config and it is now working, for both basic and Kerberos:- ############################ ProxyPass http://192.168.1.10:5000/ ProxyPassReverse http://192.168.1.10:5000/ RequestHeader set Origin http://192.168.1.10:5000/

RewriteEngine On RewriteCond %{REMOTE_USER} ^(. )$ RewriteRule ^(.)$ - [E=R_U:%1] RequestHeader set X-Forwarded-User %{R_U}e

RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC] RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC] RewriteRule /(.*) ws:/$1 [P,NE] #############################

— Reply to this email directly, view it on GitHub https://github.com/bugy/script-server/issues/549#issuecomment-1093065533, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJXPJPOGH7MLB4AXLOOKODVEBNB5ANCNFSM5S3TILOA . You are receiving this because you were mentioned.Message ID: @.***>