Open rmetcalf9 opened 6 years ago
Hi @rmetcalf9
I front (and terminate SSL) my Rundeck instances with HAProxy, so your setup should be able to work as well. I don't change the context though as I route requests based on FQDN.
If that doesn't work, can you describe what is occurring? Are you able to get to the login page, but after trying to login it redirects to the wrong URL for example? Also, is there anything in the rundeck logs that might help? Thanks 😄
Hi, Thanks for your help!
To answer your points:
With the setup:
rundeck: image: jordan/rundeck:latest deploy: restart_policy: condition: none environment:
- EXTERNAL_SERVER_URL=https://cat-sdts.metcarob-home.com:4443/rundeck/
- SERVER_URL=http://rundeck:4440
- RDECK_JVM="-Dserver.web.context=/rundeck -Drundeck.jetty.connector.forwarded=true -Dserver.https.port=4443"
When my browser goes to:
The address bar changes to:
which fails.
I removed the line SERVER_URL line and stopped and restarted the stack. I got exactly the same result - the address bar jumps to http://rundeck:4440/user/login
Next I have retried with the following setup:
rundeck: image: jordan/rundeck:latest deploy: restart_policy: condition: none environment:
- EXTERNAL_SERVER_URL=https://cat-sdts.metcarob-home.com:4443/rundeck/
- RDECK_JVM="-Drundeck.jetty.connector.forwarded=true"
I removed and restarted the stack: I pointed my browser at https://cat-sdts.metcarob-home.com:4443/rundeck/ and I got the same result, the address bar changed to http://rundeck:4440/user/login
I did another test using
and I saw the following in the results:
---request begin--- GET /rundeck/ HTTP/1.1 User-Agent: Wget/1.17.1 (linux-gnu) Accept: / Accept-Encoding: identity Host: cat-sdts.metcarob-home.com:4443 Connection: Keep-Alive
---request end--- HTTP request sent, awaiting response... ---response begin--- HTTP/1.1 302 Found Content-Type: text/plain Content-Length: 0 Connection: keep-alive Set-Cookie: JSESSIONID=1omvvajcvumsv19qlg6qez9ixf;Path=/;HttpOnly Expires: Thu, 01 Jan 1970 00:00:00 GMT Location: http://rundeck:4440/user/login Server: Jetty(9.0.7.v20131107) X-Kong-Upstream-Latency: 5 X-Kong-Proxy-Latency: 0 Via: kong/0.12.0
---response end---
I think I am getting through to rundeck but I am getting redirected to http://rundeck:4440/user/login which is the wrong url. I need to understand why I am not getting redirected to https://cat-sdts.metcarob-home.com:4443/rundeck/user/login which is what I expect.
After this I re verified rundeck-config.properties was correct:
loglevel.default is the default log level for jobs: ERROR,WARN,INFO,VERBOSE,DEBUG
loglevel.default=INFO rdeck.base=/var/lib/rundeck
rss.enabled if set to true enables RSS feeds that are public (non-authenticated)
rss.enabled=false
change hostname here
grails.serverURL=https://cat-sdts.metcarob-home.com:4443/rundeck/
dataSource.url = jdbc:mysql://localhost/rundeckdb?autoReconnect=true dataSource.username = rundeck dataSource.password = **
(password changed in above)
I did a final experiment. I restarted a clean stack I went into the container and went to the /var/log/rundeck directory. Before I did any accesses the files were as follows:
root@b9838bed7150:/var/log/rundeck# ls -la total 12 drwxr-x--x 2 rundeck adm 4096 Jan 20 10:45 . drwxr-xr-x 1 root root 148 Jan 19 19:34 .. -rw-rw-r-- 1 rundeck rundeck 0 Jan 20 10:45 rundeck.access.log -rw-rw-r-- 1 rundeck rundeck 0 Jan 20 10:45 rundeck.api.log -rw-rw-r-- 1 rundeck rundeck 0 Jan 20 10:45 rundeck.audit.log -rw-rw-r-- 1 rundeck rundeck 0 Jan 20 10:45 rundeck.executions.log -rw-rw-r-- 1 rundeck rundeck 0 Jan 20 10:45 rundeck.jobs.log -rw-rw-r-- 1 rundeck rundeck 952 Jan 20 10:46 rundeck.log -rw-rw-r-- 1 rundeck rundeck 0 Jan 20 10:45 rundeck.options.log -rw-rw-r-- 1 rundeck rundeck 0 Jan 20 10:45 rundeck.storage.log -rw-rw-r-- 1 rundeck rundeck 3013 Jan 20 10:46 service.log
I then went with my browser to https://cat-sdts.metcarob-home.com:4443/rundeck/ and I was redirected to http://rundeck:4440/user/login
I re-checked the log directory and not a single file size had changed. So I have determined that no log entry has occured. However, I am sure the rundeck container is answering because I am being redirected to /user/login.
I have also used the docker logs command to get the log of the rundeck container and no log entrys are made.
I am not sure how to proceed with investigating this issue.
Hi @rmetcalf9
Thanks for all of the attempts and details. This is a really weird problem. The symptoms are all the same, you're able to connect to the Rundeck server through the proxy but Rundeck is redirecting to the wrong URL. The URL is constructed using the grails server URL and yours seems to be set correctly. Do you mind including the rundeck.log and service.log from the last attempt?
Hi, rundeck.log:
2018-01-20 22:10:38,703 [main] INFO grails.app.conf.BootStrap - Starting Rundeck 2.10.4-1 (2018-01-19) ... 2018-01-20 22:10:38,703 [main] INFO grails.app.conf.BootStrap - using rdeck.base config property: /var/lib/rundeck 2018-01-20 22:10:38,718 [main] INFO grails.app.conf.BootStrap - loaded configuration: /etc/rundeck/framework.properties 2018-01-20 22:10:38,779 [main] INFO grails.app.conf.BootStrap - RSS feeds disabled 2018-01-20 22:10:38,780 [main] INFO grails.app.conf.BootStrap - Preauthentication is disabled 2018-01-20 22:10:38,814 [main] INFO grails.app.conf.BootStrap - Rundeck is ACTIVE: executions can be run. 2018-01-20 22:10:38,819 [main] WARN grails.app.conf.BootStrap - The JVM default encoding is not UTF-8: US-ASCII, you may not see output as expected for multibyte locales. Specify -Dfile.encoding=UTF-8 in the JVM options. 2018-01-20 22:10:39,050 [main] INFO grails.app.conf.BootStrap - Rundeck startup finished in 440ms
service.log
WARNING: HTTPS is not enabled, specify -Drundeck.ssl.config=/var/lib/rundeck/server/config/ssl.properties to enable. 2018-01-20 22:10:17.176:INFO:oejs.Server:main: jetty-9.0.7.v20131107 2018-01-20 22:10:19.464:INFO:oejw.StandardDescriptorProcessor:main: NO JSP Support for /, did not find org.apache.jasper.servlet.JspServlet 2018-01-20 22:10:20.453:INFO:/:main: Initializing Spring root WebApplicationContext 2018-01-20 22:10:31,112 [main] ERROR hbm2ddl.SchemaUpdate - HHH000388: Unsuccessful: create index EXEC_REPORT_IDX_0 on base_report (ctx_project, date_completed, jc_exec_id, jc_job_id) 2018-01-20 22:10:31,113 [main] ERROR hbm2ddl.SchemaUpdate - Specified key was too long; max key length is 767 bytes 2018-01-20 22:10:31,117 [main] ERROR hbm2ddl.SchemaUpdate - HHH000388: Unsuccessful: create index EXEC_REPORT_IDX_1 on base_report (ctx_project, jc_job_id) 2018-01-20 22:10:31,117 [main] ERROR hbm2ddl.SchemaUpdate - Specified key was too long; max key length is 767 bytes 2018-01-20 22:10:31,120 [main] ERROR hbm2ddl.SchemaUpdate - HHH000388: Unsuccessful: create index BASE_REPORT_IDX_2 on base_report (ctx_project, date_completed, date_started) 2018-01-20 22:10:31,120 [main] ERROR hbm2ddl.SchemaUpdate - Specified key was too long; max key length is 767 bytes 2018-01-20 22:10:31,121 [main] ERROR hbm2ddl.SchemaUpdate - HHH000388: Unsuccessful: create index EXEC_IDX_1 on execution (id, date_completed, project) 2018-01-20 22:10:31,121 [main] ERROR hbm2ddl.SchemaUpdate - Specified key was too long; max key length is 767 bytes 2018-01-20 22:10:31,121 [main] ERROR hbm2ddl.SchemaUpdate - HHH000388: Unsuccessful: create index EXEC_IDX_3 on execution (date_completed, project) 2018-01-20 22:10:31,121 [main] ERROR hbm2ddl.SchemaUpdate - Specified key was too long; max key length is 767 bytes 2018-01-20 22:10:31,128 [main] ERROR hbm2ddl.SchemaUpdate - HHH000388: Unsuccessful: create index EXEC_IDX_2 on execution (date_started, status) 2018-01-20 22:10:31,128 [main] ERROR hbm2ddl.SchemaUpdate - Specified key was too long; max key length is 767 bytes INFO BootStrap: Starting Rundeck 2.10.4-1 (2018-01-19) ... INFO BootStrap: using rdeck.base config property: /var/lib/rundeck INFO BootStrap: loaded configuration: /etc/rundeck/framework.properties INFO BootStrap: RSS feeds disabled INFO BootStrap: Preauthentication is disabled INFO BootStrap: Rundeck is ACTIVE: executions can be run. WARN BootStrap: The JVM default encoding is not UTF-8: US-ASCII, you may not see output as expected for multibyte locales. Specify -Dfile.encoding=UTF-8 in the JVM options. INFO BootStrap: Rundeck startup finished in 440ms 2018-01-20 22:10:39.288:INFO:/:main: Initializing Spring FrameworkServlet 'grails' 2018-01-20 22:10:39.314:INFO:oejsh.ContextHandler:main: Started o.e.j.w.WebAppContext@5981f4a6{/,file:/var/lib/rundeck/exp/webapp/,AVAILABLE}{/var/lib/rundeck/exp/webapp} 2018-01-20 22:10:39.334:INFO:oejs.ServerConnector:main: Started ServerConnector@6447dc25{HTTP/1.1}{0.0.0.0:4440}
Robert
Thanks, @rmetcalf9
The logs look like everything is OK. Is Kong set up to pass the correct forwarding headers like X-Forwarded-For?
Hi, Based on your feedback I have found one problem with my setup. Kong has a configuration value "preserve_host" which I has set to false. I have changed this to true. This changes the symptoms.
Now when I visit https://cat-sdts.metcarob-home.com:4443/rundeck
I am redirected to http://cat-sdts.metcarob-home.com:4443/user/login
So the behavour has changed but it is still not working. There are two things that are wrong with this redirection:
Robert
I have reconfirmed and the logs are unchanged from before
Hi @rmetcalf9
We're getting there! 😛 Did you add the context parameter back to RDECK_JVM?
-Dserver.web.context=/rundeck
Finally, is Kong setting the X-Forwarded-Proto header?
Hi, I have have spent a lot of time reading Kong docs and playing with options. In the end I worked out how I can run tcpdump inside the container which helps a lot as I can see the data Kong is sending to rundeck.
I have done another test, in my compose file I have:
- RDECK_JVM="-Dserver.web.context=/rundeck -Drundeck.jetty.connector.forwarded=true"
When running I log into a command shell inside the container, install tcpdump and run it with the command
tcpdump -s 0 -A port 4440
again I visit https://cat-sdts.metcarob-home.com:4443/rundeck and am redirected to http://cat-sdts.metcarob-home.com:4443/user/login
and I can see from the output:
...
....a.X.....d.............
........GET /rundeck HTTP/1.1
Host: cat-sdts.metcarob-home.com:4443
Connection: keep-alive
X-Forwarded-For: 10.255.0.2
X-Forwarded-Proto: https
X-Forwarded-Host: cat-sdts.metcarob-home.com
X-Forwarded-Port: 8443
X-Real-IP: 10.255.0.2
Authorization: Basic YWRtaW46YWRtaW4=
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: io=z9npwwPZfO7nyO-8AAAA; JSESSIONID=16uwbj0odio1x1idvlbqodc8is
14:08:41.261811 IP 94ed30fe886a.4440 > webservices_kong.1.upr4zheycecpx5g8ehn4mg9ks.webservices_default.35937: Flags [.], ack 660, win 229, options [nop,nop,TS val 15800529 ecr 15800529], length 0
E..4..@.@.^.
..
....X.a.d...........H.....
........
14:08:41.267296 IP 94ed30fe886a.4440 > webservices_kong.1.upr4zheycecpx5g8ehn4mg9ks.webservices_default.35937: Flags [P.], seq 1:130, ack 660, win 229, options [nop,nop,TS val 15800535 ecr 15800529], length 129
E.....@.@.^r
..
....X.a.d.................
........HTTP/1.1 302 Found
Location: http://cat-sdts.metcarob-home.com:4443/user/login
Content-Length: 0
Server: Jetty(9.0.7.v20131107)
14:08:41.267380 IP webservices_kong.1.upr4zheycecpx5g8ehn4mg9ks.webservices_default.35937 > 94ed30fe886a.4440: Flags [.], ack 130, win 229, options [nop,nop,TS val 15800535 ecr 15800535], length 0
E..4.1@.@.Cq
...
....a.X.....d.......H.....
........
So I have worked out, Kong is setting the X-Forwarded-Proto header, but adding the server.web.context seemed to have no effect.
I am wondering if the RDECK_JVM options are being correctly set.
Hi @rmetcalf9
Do you see -Dserver.web.context=/rundeck -Drundeck.jetty.connector.forwarded=true in the output of
ps aux | grep rundeck
If so, that confirms that they are being set correctly.
Let's try one more addition. Can you try setting the SERVER_URL environment variable one more time?
-e SERVER_URL=https://cat-sdts.metcarob-home.com:4443/rundeck
Thanks for your patience and all the debugging information provided 😄
I have updated the compose file as follows
rundeck:
image: jordan/rundeck:latest
deploy:
restart_policy:
condition: on-failure
secrets:
- webservices_hostname
environment:
- EXTERNAL_SERVER_URL=https://cat-sdts.metcarob-home.com:4443/rundeck/
- RDECK_JVM=-Dserver.web.context=/rundeck -Drundeck.jetty.connector.forwarded=true
- SERVER_URL=https://cat-sdts.metcarob-home.com:4443/rundeck
I redid the test and I get the same result (redirected to http://cat-sdts.metcarob-home.com:4443/user/login)
Inside the container I have:
root@f9d90f8dbdc2:/# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 18072 3032 ? Ss 11:13 0:00 /bin/bash /opt/run
root 416 0.1 0.1 49324 20108 ? S 11:14 0:00 /usr/bin/python /usr/bin/supervisord -c /etc/supervisor/conf.d/rundeck.conf
root 419 0.0 0.0 18264 3204 ? S 11:14 0:00 /bin/bash /opt/supervisor/rundeck
root 420 0.0 0.0 17960 2980 ? S 11:14 0:00 /bin/bash /opt/supervisor/mysql_supervisor
root 437 0.0 0.0 46864 2704 ? S 11:14 0:00 su -s /bin/bash rundeck -c /usr/bin/java -Djava.security.auth.login.config=/etc/rundeck/jaas-loginmodule.conf -Dloginmodule.name=RDprop
root 456 0.0 0.0 18236 3144 ? S 11:14 0:00 /bin/bash /usr/bin/mysqld_safe
rundeck 482 0.0 0.0 9532 2528 ? Ss 11:14 0:00 bash -c /usr/bin/java -Djava.security.auth.login.config=/etc/rundeck/jaas-loginmodule.conf -Dloginmodule.name=RDpropertyfilelogin
rundeck 485 40.2 7.2 4628116 761364 ? Sl 11:14 1:03 /usr/bin/java -Djava.security.auth.login.config=/etc/rundeck/jaas-loginmodule.conf -Dloginmodule.name=RDpropertyfilelogin -Drdeck.config=/etc/rund
mysql 616 0.5 1.3 694484 147796 ? Sl 11:14 0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/x86_64-linux-gnu/mariadb18/plugin --user=mysql --skip-log-error --p
root 617 0.0 0.0 25392 1396 ? S 11:14 0:00 logger -t mysqld -p daemon error
root 863 0.1 0.0 18192 3352 pts/0 Ss 11:16 0:00 /bin/bash
root 871 0.0 0.0 4200 688 ? S 11:16 0:00 sleep 5
root 874 0.0 0.0 4200 688 ? S 11:16 0:00 sleep 5
root 875 0.0 0.0 36636 2944 pts/0 R+ 11:16 0:00 ps aux
It seems I have two processes running under the rundeck user. I think the interesting one is the /usr/bin/java one PID=485.
I have checked it's command line:
/usr/bin/java-Djava.security.auth.login.config=/etc/rundeck/jaas-loginmodule.conf-Dloginmodule.name=RDpropertyfilelogin-Drdeck.config=/etc/rundeck-Drundeck.server.configDir=/etc/rundeck-Dserver.datastore.path=/var/lib/rundeck/data/rundeck-Drundeck.server.serverDir=/var/lib/rundeck-Drdeck.projects=/var/lib/rundeck/projects-Drdeck.runlogs=/var/lib/rundeck/logs-Drundeck.config.location=/etc/rundeck/rundeck-config.properties-Djava.io.tmpdir=/tmp/rundeck-Drundeck.server.workDir=/tmp/rundeck-Dserver.http.port=4440-Xmx1024m-Xms256m-XX:MaxMetaspaceSize=256m-server-cp/var/lib/rundeck/bootstrap/javax.servlet-3.0.0.v201112011016.jar:/var/lib/rundeck/bootstrap/jetty-all-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jetty-http-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jetty-io-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jetty-jaas-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jetty-security-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jetty-server-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jetty-util-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jna-3.2.2.jar:/var/lib/rundeck/bootstrap/libpam4j-1.5.jar:/var/lib/rundeck/bootstrap/log4j-1.2.16.jar:/var/lib/rundeck/bootstrap/not-yet-commons-ssl-0.3.17.jar:/var/lib/rundeck/bootstrap/rundeck-jetty-server-2.10.4.jarcom.dtolabs.rundeck.RunServer/var/lib/rundeck4440
I can't see webcontext in the above output, suggesting that it is not being set.
I thought I would do one more test. I removed RDECK_JVM completely from the docker compose file and removed and restarted the stack.
I repeated the test and I got exactly the same behavior.
Thanks @rmetcalf9
I think I found the issue thanks to all of your detective work! 😄 There was a big update to /etc/rundeck/profile a few releases ago. It looks like RDECK_JVM_SETTINGS is the preferred variable to use now. I'll update the documentation now.
Unfortunatly this didn't resolve the issue for me but it has changed the situation slightly.
I now have the following docker compose file:
rundeck:
image: jordan/rundeck:latest
deploy:
restart_policy:
condition: on-failure
secrets:
- webservices_hostname
environment:
- EXTERNAL_SERVER_URL=https://cat-sdts.metcarob-home.com:4443/rundeck/
- RDECK_JVM_SETTINGS=-Dserver.web.context=/rundeck -Drundeck.jetty.connector.forwarded=true -Dserver.https.port=4443
Now when I visit: https://cat-sdts.metcarob-home.com:4443/rundeck
my browser is forwarded to: https://cat-sdts.metcarob-home.com/rundeck/ (It used to be http://cat-sdts.metcarob-home.com:4443/user/login)
so it's changed a bit. It's getting the https bit right the host is still correct the port number is now missing the context root seems to be right (/rundeck) but /user/login seems to have disapeared
Firstly I checked the Java enviroment in the container:
/usr/bin/java-Djava.security.auth.login.config=/etc/rundeck/jaas-loginmodule.conf-Dloginmodule.name=RDpropertyfilelogin-Drdeck.config=/etc/rundeck-Drundeck.server.configDir=/etc/rundeck-Dserver.datastore.path=/var/lib/rundeck/data/rundeck-Drundeck.server.serverDir=/var/lib/rundeck-Drdeck.projects=/var/lib/rundeck/projects-Drdeck.runlogs=/var/lib/rundeck/logs-Drundeck.config.location=/etc/rundeck/rundeck-config.properties-Djava.io.tmpdir=/tmp/rundeck-Drundeck.server.workDir=/tmp/rundeck-Dserver.http.port=4440-Dserver.web.context=/rundeck-Drundeck.jetty.connector.forwarded=true-Dserver.https.port=4443-cp/var/lib/rundeck/bootstrap/javax.servlet-3.0.0.v201112011016.jar:/var/lib/rundeck/bootstrap/jetty-all-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jetty-http-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jetty-io-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jetty-jaas-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jetty-security-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jetty-server-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jetty-util-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jna-3.2.2.jar:/var/lib/rundeck/bootstrap/libpam4j-1.5.jar:/var/lib/rundeck/bootstrap/log4j-1.2.16.jar:/var/lib/rundeck/bootstrap/not-yet-commons-ssl-0.3.17.jar:/var/lib/rundeck/bootstrap/rundeck-jetty-server-2.10.4.jarcom.dtolabs.rundeck.RunServer/var/lib/rundeck4440
so it looks like all the settings are being set sucessfully. Next I tried the tcpdump to see if anything changed there:
GET /rundeck HTTP/1.1
Host: cat-sdts.metcarob-home.com:4443
Connection: keep-alive
X-Forwarded-For: 10.255.0.2
X-Forwarded-Proto: https
X-Forwarded-Host: cat-sdts.metcarob-home.com
X-Forwarded-Port: 8443
X-Real-IP: 10.255.0.2
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: io=ZGdexe3hVflPBuoyAAAA
09:15:39.625641 IP a6d1ec8aedab.4440 > 48a880a29b3e.webservices_default.41481: Flags [.], ack 582, win 228, options [nop,nop,TS val 2087394 ecr 2087394], length 0
E..4..@.@...
...
....X. ..HJ9@.......M.....
........
09:15:39.630200 IP a6d1ec8aedab.4440 > 48a880a29b3e.webservices_default.41481: Flags [P.], seq 1:124, ack 582, win 228, options [nop,nop,TS val 2087398 ecr 2087394], length 123
E.....@.@..y
...
....X. ..HJ9@.............
........HTTP/1.1 302 Found
Location: https://cat-sdts.metcarob-home.com/rundeck/
Content-Length: 0
Server: Jetty(9.0.7.v20131107)
09:15:39.630335 IP 48a880a29b3e.webservices_default.41481 > a6d1ec8aedab.4440: Flags [.], ack 124, win 221, options [nop,nop,TS val 2087399 ecr 2087398], length 0
E..4 .@.@...
So the problem is still the fact that the first forward is wrong.
Hi @rmetcalf9
I'm fresh out of ideas 😞 I've gone through http://rundeck.org/docs/administration/configuring-ssl.html#using-an-ssl-terminated-proxy and the open/closed issues for the Rundeck repo itself ( https://github.com/rundeck/rundeck ) and can't find anything that might help. It's probably something small we're missing out on. Do you mind opening an issue with the main Rundeck repo to see if they might be able to help? Make sure to link to this one so we can keep track of things. Really appreciate it and I hope to get you sorted soon 😄
Thanks I have read through http://rundeck.org/docs/administration/installation.html and I have verified all the suggested settings. I will log an issue over there.
good it running behind HAProxy
and with nginx-proxy
(SSL termination is done via Let's Encrypt on HAProxy
level, rundeck
runs also with SSL 4443
:
env:
# this is for nginx-proxy
VIRTUAL_HOST: "rundeck.foo.org"
VIRTUAL_PORT: 4443
VIRTUAL_PROTO: "https"
# this is for rundeck
EXTERNAL_SERVER_URL: "https://rundeck.foo.org"
RDECK_JVM_SETTINGS: "-Drundeck.jetty.connector.forwarded=true -Dserver.https.port=4443"
maybe this info helps.
Thanks for the info. It seems like you are running it from the base path rather than from a context. E.g. your External url is https://rundeck.foo.org but mine is https://serverwithotherstuddoneif.com/rundeck I think that might be the source of my problems
@rmetcalf9 @jjethwa I was trying to run the container behind a reverse proxy with context (http://myserver/rundeck
) when found this thread. Everything worked fine with the following configuration:
docker run -p 4440:4440 \
-e "EXTERNAL_SERVER_URL=http://myserver/rundeck" \
-e RDECK_JVM_SETTINGS="-Dserver.web.context=/rundeck -Drundeck.jetty.connector.forwarded=true" \
--name rundeck \
-t jordan/rundeck:latest
My nginx config: (no proxy header needed)
location /rundeck/ {
proxy_pass http://docker_host:4440/rundeck/;
}
That's awesome, @laubstein Thanks so much! :smiley:
I am trying to deploy this Rundeck container as part of a docker stack deployment. I am using Kong as a front-end revers proxy for all the various parts of the stack. Kong has my certificates installed so is terminating all my SSL traffic and making non-SSL calls to API’s inside the docker network. The entire system has a single host and port so Kong will direct traffic depending on the start of the path.
So all Rundeck calls will have the following url:
But Kong needs to forward the traffic to the docker service, which I have configured according to defaults:
I am not using SSL on rundeck.
I would like to use the docker image out of the box and pass it parameters to achieve this rather than build my own derived version.
I have not been able to get this working. I have been trying to look through the source of the docker. The relevant part of my docker compose file is:
This setup isn't working and I am struggling to debug it. What I need is a clear statement of the requirements for running Rundeck in this configuration - if it is possible.
It might be a good idea to add a documentation page in this docker repositories github which describes different configuration scanarios that the container will run in and give the matching docker run commands.