Using behind a SSL terminating reverse proxy in a different context root

[rmetcalf9]

I am trying to deploy this Rundeck container as part of a docker stack deployment. I am using Kong as a front-end revers proxy for all the various parts of the stack. Kong has my certificates installed so is terminating all my SSL traffic and making non-SSL calls to API’s inside the docker network. The entire system has a single host and port so Kong will direct traffic depending on the start of the path.

So all Rundeck calls will have the following url:

https://myserver:4455/rundeck

But Kong needs to forward the traffic to the docker service, which I have configured according to defaults:

http://rundeck:4440

I am not using SSL on rundeck.

I would like to use the docker image out of the box and pass it parameters to achieve this rather than build my own derived version.

I have not been able to get this working. I have been trying to look through the source of the docker. The relevant part of my docker compose file is:

rundeck: image: jordan/rundeck:latest deploy: restart_policy: condition: none environment:

• EXTERNAL_SERVER_URL=https://myserver:4455/rundeck/
• SERVER_URL=http://rundeck:4440

• RDECK_JVM="-Dserver.web.context=/rundeck -Drundeck.jetty.connector.forwarded=true -Dserver.https.port=4455"

  kong-addapis-rundeck: image: byrnedo/alpine-curl deploy: restart_policy: condition: on-failure delay: 6s command: "-i -X POST \ --url http://kong:8001/apis/ \ --data 'name=rundeck' \ --data 'uris=/rundeck' \ --data 'upstream_url=http://rundeck:4440' --data 'https_only=true' " I have left my Kong configuration setup in as well which sets up the API.

This setup isn't working and I am struggling to debug it. What I need is a clear statement of the requirements for running Rundeck in this configuration - if it is possible.

It might be a good idea to add a documentation page in this docker repositories github which describes different configuration scanarios that the container will run in and give the matching docker run commands.

[jjethwa]

Hi @rmetcalf9

I front (and terminate SSL) my Rundeck instances with HAProxy, so your setup should be able to work as well. I don't change the context though as I route requests based on FQDN.

1. Do you need to import an intermediate cert to the cacerts being used by Rundeck? Default location is /etc/rundeck/ssl/cacerts along with the config /etc/rundeck/ssl/ssl.properties
2. I don't think you need to set SERVER_URL
3. Can you verify the value of grails.serverURL in /etc/rundeck/rundeck-config.properties ? It should be the frontend URL: https://myserver:4455/rundeck
4. I believe you should only need to set -Drundeck.jetty.connector.forwarded=true

If that doesn't work, can you describe what is occurring? Are you able to get to the login page, but after trying to login it redirects to the wrong URL for example? Also, is there anything in the rundeck logs that might help? Thanks 😄

[rmetcalf9]

Hi, Thanks for your help!

To answer your points:

1. Rundeck isn't doing any SSL and Kong is making a non ssl connection so I should not be having any ssl issues
2. I have experimented without setting the SERVER_URL (I have put results below)
3. I have checked inside the running container and confirmed rundeck-config.properties has the correct value (grails.serverURL=https://cat-sdts.metcarob-home.com:4443/rundeck/)
4. In my last experment (see below) I have tried the suggested setup and described the result

With the setup:

rundeck: image: jordan/rundeck:latest deploy: restart_policy: condition: none environment:

• EXTERNAL_SERVER_URL=https://cat-sdts.metcarob-home.com:4443/rundeck/
• SERVER_URL=http://rundeck:4440
• RDECK_JVM="-Dserver.web.context=/rundeck -Drundeck.jetty.connector.forwarded=true -Dserver.https.port=4443"

When my browser goes to:

https://cat-sdts.metcarob-home.com:4443/rundeck/

The address bar changes to:

http://rundeck:4440/user/login

which fails.

I removed the line SERVER_URL line and stopped and restarted the stack. I got exactly the same result - the address bar jumps to http://rundeck:4440/user/login

Next I have retried with the following setup:

rundeck: image: jordan/rundeck:latest deploy: restart_policy: condition: none environment:

• EXTERNAL_SERVER_URL=https://cat-sdts.metcarob-home.com:4443/rundeck/
• RDECK_JVM="-Drundeck.jetty.connector.forwarded=true"

I removed and restarted the stack: I pointed my browser at https://cat-sdts.metcarob-home.com:4443/rundeck/ and I got the same result, the address bar changed to http://rundeck:4440/user/login

I did another test using

wget -d https://cat-sdts.metcarob-home.com:4443/rundeck/

and I saw the following in the results:

---request begin--- GET /rundeck/ HTTP/1.1 User-Agent: Wget/1.17.1 (linux-gnu) Accept: / Accept-Encoding: identity Host: cat-sdts.metcarob-home.com:4443 Connection: Keep-Alive

---request end--- HTTP request sent, awaiting response... ---response begin--- HTTP/1.1 302 Found Content-Type: text/plain Content-Length: 0 Connection: keep-alive Set-Cookie: JSESSIONID=1omvvajcvumsv19qlg6qez9ixf;Path=/;HttpOnly Expires: Thu, 01 Jan 1970 00:00:00 GMT Location: http://rundeck:4440/user/login Server: Jetty(9.0.7.v20131107) X-Kong-Upstream-Latency: 5 X-Kong-Proxy-Latency: 0 Via: kong/0.12.0

---response end---

I think I am getting through to rundeck but I am getting redirected to http://rundeck:4440/user/login which is the wrong url. I need to understand why I am not getting redirected to https://cat-sdts.metcarob-home.com:4443/rundeck/user/login which is what I expect.

After this I re verified rundeck-config.properties was correct:

loglevel.default is the default log level for jobs: ERROR,WARN,INFO,VERBOSE,DEBUG

loglevel.default=INFO rdeck.base=/var/lib/rundeck

rss.enabled if set to true enables RSS feeds that are public (non-authenticated)

rss.enabled=false

change hostname here

grails.serverURL=https://cat-sdts.metcarob-home.com:4443/rundeck/

dataSource.url = jdbc:mysql://localhost/rundeckdb?autoReconnect=true dataSource.username = rundeck dataSource.password = **

(password changed in above)

I did a final experiment. I restarted a clean stack I went into the container and went to the /var/log/rundeck directory. Before I did any accesses the files were as follows:

root@b9838bed7150:/var/log/rundeck# ls -la total 12 drwxr-x--x 2 rundeck adm 4096 Jan 20 10:45 . drwxr-xr-x 1 root root 148 Jan 19 19:34 .. -rw-rw-r-- 1 rundeck rundeck 0 Jan 20 10:45 rundeck.access.log -rw-rw-r-- 1 rundeck rundeck 0 Jan 20 10:45 rundeck.api.log -rw-rw-r-- 1 rundeck rundeck 0 Jan 20 10:45 rundeck.audit.log -rw-rw-r-- 1 rundeck rundeck 0 Jan 20 10:45 rundeck.executions.log -rw-rw-r-- 1 rundeck rundeck 0 Jan 20 10:45 rundeck.jobs.log -rw-rw-r-- 1 rundeck rundeck 952 Jan 20 10:46 rundeck.log -rw-rw-r-- 1 rundeck rundeck 0 Jan 20 10:45 rundeck.options.log -rw-rw-r-- 1 rundeck rundeck 0 Jan 20 10:45 rundeck.storage.log -rw-rw-r-- 1 rundeck rundeck 3013 Jan 20 10:46 service.log

I then went with my browser to https://cat-sdts.metcarob-home.com:4443/rundeck/ and I was redirected to http://rundeck:4440/user/login

I re-checked the log directory and not a single file size had changed. So I have determined that no log entry has occured. However, I am sure the rundeck container is answering because I am being redirected to /user/login.

I have also used the docker logs command to get the log of the rundeck container and no log entrys are made.

I am not sure how to proceed with investigating this issue.

[jjethwa]

Hi @rmetcalf9

Thanks for all of the attempts and details. This is a really weird problem. The symptoms are all the same, you're able to connect to the Rundeck server through the proxy but Rundeck is redirecting to the wrong URL. The URL is constructed using the grails server URL and yours seems to be set correctly. Do you mind including the rundeck.log and service.log from the last attempt?

[rmetcalf9]

Hi, rundeck.log:

2018-01-20 22:10:38,703 [main] INFO grails.app.conf.BootStrap - Starting Rundeck 2.10.4-1 (2018-01-19) ... 2018-01-20 22:10:38,703 [main] INFO grails.app.conf.BootStrap - using rdeck.base config property: /var/lib/rundeck 2018-01-20 22:10:38,718 [main] INFO grails.app.conf.BootStrap - loaded configuration: /etc/rundeck/framework.properties 2018-01-20 22:10:38,779 [main] INFO grails.app.conf.BootStrap - RSS feeds disabled 2018-01-20 22:10:38,780 [main] INFO grails.app.conf.BootStrap - Preauthentication is disabled 2018-01-20 22:10:38,814 [main] INFO grails.app.conf.BootStrap - Rundeck is ACTIVE: executions can be run. 2018-01-20 22:10:38,819 [main] WARN grails.app.conf.BootStrap - The JVM default encoding is not UTF-8: US-ASCII, you may not see output as expected for multibyte locales. Specify -Dfile.encoding=UTF-8 in the JVM options. 2018-01-20 22:10:39,050 [main] INFO grails.app.conf.BootStrap - Rundeck startup finished in 440ms

service.log

WARNING: HTTPS is not enabled, specify -Drundeck.ssl.config=/var/lib/rundeck/server/config/ssl.properties to enable. 2018-01-20 22:10:17.176:INFO:oejs.Server:main: jetty-9.0.7.v20131107 2018-01-20 22:10:19.464:INFO:oejw.StandardDescriptorProcessor:main: NO JSP Support for /, did not find org.apache.jasper.servlet.JspServlet 2018-01-20 22:10:20.453:INFO:/:main: Initializing Spring root WebApplicationContext 2018-01-20 22:10:31,112 [main] ERROR hbm2ddl.SchemaUpdate - HHH000388: Unsuccessful: create index EXEC_REPORT_IDX_0 on base_report (ctx_project, date_completed, jc_exec_id, jc_job_id) 2018-01-20 22:10:31,113 [main] ERROR hbm2ddl.SchemaUpdate - Specified key was too long; max key length is 767 bytes 2018-01-20 22:10:31,117 [main] ERROR hbm2ddl.SchemaUpdate - HHH000388: Unsuccessful: create index EXEC_REPORT_IDX_1 on base_report (ctx_project, jc_job_id) 2018-01-20 22:10:31,117 [main] ERROR hbm2ddl.SchemaUpdate - Specified key was too long; max key length is 767 bytes 2018-01-20 22:10:31,120 [main] ERROR hbm2ddl.SchemaUpdate - HHH000388: Unsuccessful: create index BASE_REPORT_IDX_2 on base_report (ctx_project, date_completed, date_started) 2018-01-20 22:10:31,120 [main] ERROR hbm2ddl.SchemaUpdate - Specified key was too long; max key length is 767 bytes 2018-01-20 22:10:31,121 [main] ERROR hbm2ddl.SchemaUpdate - HHH000388: Unsuccessful: create index EXEC_IDX_1 on execution (id, date_completed, project) 2018-01-20 22:10:31,121 [main] ERROR hbm2ddl.SchemaUpdate - Specified key was too long; max key length is 767 bytes 2018-01-20 22:10:31,121 [main] ERROR hbm2ddl.SchemaUpdate - HHH000388: Unsuccessful: create index EXEC_IDX_3 on execution (date_completed, project) 2018-01-20 22:10:31,121 [main] ERROR hbm2ddl.SchemaUpdate - Specified key was too long; max key length is 767 bytes 2018-01-20 22:10:31,128 [main] ERROR hbm2ddl.SchemaUpdate - HHH000388: Unsuccessful: create index EXEC_IDX_2 on execution (date_started, status) 2018-01-20 22:10:31,128 [main] ERROR hbm2ddl.SchemaUpdate - Specified key was too long; max key length is 767 bytes INFO BootStrap: Starting Rundeck 2.10.4-1 (2018-01-19) ... INFO BootStrap: using rdeck.base config property: /var/lib/rundeck INFO BootStrap: loaded configuration: /etc/rundeck/framework.properties INFO BootStrap: RSS feeds disabled INFO BootStrap: Preauthentication is disabled INFO BootStrap: Rundeck is ACTIVE: executions can be run. WARN BootStrap: The JVM default encoding is not UTF-8: US-ASCII, you may not see output as expected for multibyte locales. Specify -Dfile.encoding=UTF-8 in the JVM options. INFO BootStrap: Rundeck startup finished in 440ms 2018-01-20 22:10:39.288:INFO:/:main: Initializing Spring FrameworkServlet 'grails' 2018-01-20 22:10:39.314:INFO:oejsh.ContextHandler:main: Started o.e.j.w.WebAppContext@5981f4a6{/,file:/var/lib/rundeck/exp/webapp/,AVAILABLE}{/var/lib/rundeck/exp/webapp} 2018-01-20 22:10:39.334:INFO:oejs.ServerConnector:main: Started ServerConnector@6447dc25{HTTP/1.1}{0.0.0.0:4440}

Robert

[jjethwa]

Thanks, @rmetcalf9

The logs look like everything is OK. Is Kong set up to pass the correct forwarding headers like X-Forwarded-For?

[rmetcalf9]

Hi, Based on your feedback I have found one problem with my setup. Kong has a configuration value "preserve_host" which I has set to false. I have changed this to true. This changes the symptoms.

Now when I visit https://cat-sdts.metcarob-home.com:4443/rundeck

I am redirected to http://cat-sdts.metcarob-home.com:4443/user/login

So the behavour has changed but it is still not working. There are two things that are wrong with this redirection:

1. It should direct to https not http
2. It should be rundeck/user/login not user/login

Robert

[rmetcalf9]

I have reconfirmed and the logs are unchanged from before

[jjethwa]

Hi @rmetcalf9

We're getting there! 😛 Did you add the context parameter back to RDECK_JVM?

-Dserver.web.context=/rundeck

Finally, is Kong setting the X-Forwarded-Proto header?

[rmetcalf9]

Hi, I have have spent a lot of time reading Kong docs and playing with options. In the end I worked out how I can run tcpdump inside the container which helps a lot as I can see the data Kong is sending to rundeck.

I have done another test, in my compose file I have: - RDECK_JVM="-Dserver.web.context=/rundeck -Drundeck.jetty.connector.forwarded=true"

When running I log into a command shell inside the container, install tcpdump and run it with the command tcpdump -s 0 -A port 4440

again I visit https://cat-sdts.metcarob-home.com:4443/rundeck and am redirected to http://cat-sdts.metcarob-home.com:4443/user/login

and I can see from the output:

...
....a.X.....d.............
........GET /rundeck HTTP/1.1
Host: cat-sdts.metcarob-home.com:4443
Connection: keep-alive
X-Forwarded-For: 10.255.0.2
X-Forwarded-Proto: https
X-Forwarded-Host: cat-sdts.metcarob-home.com
X-Forwarded-Port: 8443
X-Real-IP: 10.255.0.2
Authorization: Basic YWRtaW46YWRtaW4=
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: io=z9npwwPZfO7nyO-8AAAA; JSESSIONID=16uwbj0odio1x1idvlbqodc8is

14:08:41.261811 IP 94ed30fe886a.4440 > webservices_kong.1.upr4zheycecpx5g8ehn4mg9ks.webservices_default.35937: Flags [.], ack 660, win 229, options [nop,nop,TS val 15800529 ecr 15800529], length 0
E..4..@.@.^.
..
....X.a.d...........H.....
........
14:08:41.267296 IP 94ed30fe886a.4440 > webservices_kong.1.upr4zheycecpx5g8ehn4mg9ks.webservices_default.35937: Flags [P.], seq 1:130, ack 660, win 229, options [nop,nop,TS val 15800535 ecr 15800529], length 129
E.....@.@.^r
..
....X.a.d.................
........HTTP/1.1 302 Found
Location: http://cat-sdts.metcarob-home.com:4443/user/login
Content-Length: 0
Server: Jetty(9.0.7.v20131107)

14:08:41.267380 IP webservices_kong.1.upr4zheycecpx5g8ehn4mg9ks.webservices_default.35937 > 94ed30fe886a.4440: Flags [.], ack 130, win 229, options [nop,nop,TS val 15800535 ecr 15800535], length 0
E..4.1@.@.Cq
...
....a.X.....d.......H.....
........

So I have worked out, Kong is setting the X-Forwarded-Proto header, but adding the server.web.context seemed to have no effect.

I am wondering if the RDECK_JVM options are being correctly set.

[jjethwa]

Hi @rmetcalf9

Do you see -Dserver.web.context=/rundeck -Drundeck.jetty.connector.forwarded=true in the output of

 ps aux | grep rundeck

If so, that confirms that they are being set correctly.

Let's try one more addition. Can you try setting the SERVER_URL environment variable one more time?

-e SERVER_URL=https://cat-sdts.metcarob-home.com:4443/rundeck

Thanks for your patience and all the debugging information provided 😄

[rmetcalf9]

I have updated the compose file as follows

  rundeck:
    image: jordan/rundeck:latest
    deploy:
      restart_policy:
        condition: on-failure
    secrets:
      - webservices_hostname
    environment:
      - EXTERNAL_SERVER_URL=https://cat-sdts.metcarob-home.com:4443/rundeck/
      - RDECK_JVM=-Dserver.web.context=/rundeck -Drundeck.jetty.connector.forwarded=true
      - SERVER_URL=https://cat-sdts.metcarob-home.com:4443/rundeck

I redid the test and I get the same result (redirected to http://cat-sdts.metcarob-home.com:4443/user/login)

Inside the container I have:

root@f9d90f8dbdc2:/# ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0  18072  3032 ?        Ss   11:13   0:00 /bin/bash /opt/run
root       416  0.1  0.1  49324 20108 ?        S    11:14   0:00 /usr/bin/python /usr/bin/supervisord -c /etc/supervisor/conf.d/rundeck.conf
root       419  0.0  0.0  18264  3204 ?        S    11:14   0:00 /bin/bash /opt/supervisor/rundeck
root       420  0.0  0.0  17960  2980 ?        S    11:14   0:00 /bin/bash /opt/supervisor/mysql_supervisor
root       437  0.0  0.0  46864  2704 ?        S    11:14   0:00 su -s /bin/bash rundeck -c /usr/bin/java -Djava.security.auth.login.config=/etc/rundeck/jaas-loginmodule.conf            -Dloginmodule.name=RDprop
root       456  0.0  0.0  18236  3144 ?        S    11:14   0:00 /bin/bash /usr/bin/mysqld_safe
rundeck    482  0.0  0.0   9532  2528 ?        Ss   11:14   0:00 bash -c /usr/bin/java -Djava.security.auth.login.config=/etc/rundeck/jaas-loginmodule.conf            -Dloginmodule.name=RDpropertyfilelogin
rundeck    485 40.2  7.2 4628116 761364 ?      Sl   11:14   1:03 /usr/bin/java -Djava.security.auth.login.config=/etc/rundeck/jaas-loginmodule.conf -Dloginmodule.name=RDpropertyfilelogin -Drdeck.config=/etc/rund
mysql      616  0.5  1.3 694484 147796 ?       Sl   11:14   0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/x86_64-linux-gnu/mariadb18/plugin --user=mysql --skip-log-error --p
root       617  0.0  0.0  25392  1396 ?        S    11:14   0:00 logger -t mysqld -p daemon error
root       863  0.1  0.0  18192  3352 pts/0    Ss   11:16   0:00 /bin/bash
root       871  0.0  0.0   4200   688 ?        S    11:16   0:00 sleep 5
root       874  0.0  0.0   4200   688 ?        S    11:16   0:00 sleep 5
root       875  0.0  0.0  36636  2944 pts/0    R+   11:16   0:00 ps aux

It seems I have two processes running under the rundeck user. I think the interesting one is the /usr/bin/java one PID=485.

I have checked it's command line:

/usr/bin/java-Djava.security.auth.login.config=/etc/rundeck/jaas-loginmodule.conf-Dloginmodule.name=RDpropertyfilelogin-Drdeck.config=/etc/rundeck-Drundeck.server.configDir=/etc/rundeck-Dserver.datastore.path=/var/lib/rundeck/data/rundeck-Drundeck.server.serverDir=/var/lib/rundeck-Drdeck.projects=/var/lib/rundeck/projects-Drdeck.runlogs=/var/lib/rundeck/logs-Drundeck.config.location=/etc/rundeck/rundeck-config.properties-Djava.io.tmpdir=/tmp/rundeck-Drundeck.server.workDir=/tmp/rundeck-Dserver.http.port=4440-Xmx1024m-Xms256m-XX:MaxMetaspaceSize=256m-server-cp/var/lib/rundeck/bootstrap/javax.servlet-3.0.0.v201112011016.jar:/var/lib/rundeck/bootstrap/jetty-all-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jetty-http-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jetty-io-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jetty-jaas-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jetty-security-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jetty-server-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jetty-util-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jna-3.2.2.jar:/var/lib/rundeck/bootstrap/libpam4j-1.5.jar:/var/lib/rundeck/bootstrap/log4j-1.2.16.jar:/var/lib/rundeck/bootstrap/not-yet-commons-ssl-0.3.17.jar:/var/lib/rundeck/bootstrap/rundeck-jetty-server-2.10.4.jarcom.dtolabs.rundeck.RunServer/var/lib/rundeck4440

I can't see webcontext in the above output, suggesting that it is not being set.

I thought I would do one more test. I removed RDECK_JVM completely from the docker compose file and removed and restarted the stack.

I repeated the test and I got exactly the same behavior.

[jjethwa]

Thanks @rmetcalf9

I think I found the issue thanks to all of your detective work! 😄 There was a big update to /etc/rundeck/profile a few releases ago. It looks like RDECK_JVM_SETTINGS is the preferred variable to use now. I'll update the documentation now.

[rmetcalf9]

Unfortunatly this didn't resolve the issue for me but it has changed the situation slightly.

I now have the following docker compose file:

  rundeck:
    image: jordan/rundeck:latest
    deploy:
      restart_policy:
        condition: on-failure
    secrets:
      - webservices_hostname
    environment:
      - EXTERNAL_SERVER_URL=https://cat-sdts.metcarob-home.com:4443/rundeck/
      - RDECK_JVM_SETTINGS=-Dserver.web.context=/rundeck -Drundeck.jetty.connector.forwarded=true -Dserver.https.port=4443

Now when I visit: https://cat-sdts.metcarob-home.com:4443/rundeck

my browser is forwarded to: https://cat-sdts.metcarob-home.com/rundeck/ (It used to be http://cat-sdts.metcarob-home.com:4443/user/login)

so it's changed a bit. It's getting the https bit right the host is still correct the port number is now missing the context root seems to be right (/rundeck) but /user/login seems to have disapeared

Firstly I checked the Java enviroment in the container:

/usr/bin/java-Djava.security.auth.login.config=/etc/rundeck/jaas-loginmodule.conf-Dloginmodule.name=RDpropertyfilelogin-Drdeck.config=/etc/rundeck-Drundeck.server.configDir=/etc/rundeck-Dserver.datastore.path=/var/lib/rundeck/data/rundeck-Drundeck.server.serverDir=/var/lib/rundeck-Drdeck.projects=/var/lib/rundeck/projects-Drdeck.runlogs=/var/lib/rundeck/logs-Drundeck.config.location=/etc/rundeck/rundeck-config.properties-Djava.io.tmpdir=/tmp/rundeck-Drundeck.server.workDir=/tmp/rundeck-Dserver.http.port=4440-Dserver.web.context=/rundeck-Drundeck.jetty.connector.forwarded=true-Dserver.https.port=4443-cp/var/lib/rundeck/bootstrap/javax.servlet-3.0.0.v201112011016.jar:/var/lib/rundeck/bootstrap/jetty-all-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jetty-http-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jetty-io-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jetty-jaas-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jetty-security-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jetty-server-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jetty-util-9.0.7.v20131107.jar:/var/lib/rundeck/bootstrap/jna-3.2.2.jar:/var/lib/rundeck/bootstrap/libpam4j-1.5.jar:/var/lib/rundeck/bootstrap/log4j-1.2.16.jar:/var/lib/rundeck/bootstrap/not-yet-commons-ssl-0.3.17.jar:/var/lib/rundeck/bootstrap/rundeck-jetty-server-2.10.4.jarcom.dtolabs.rundeck.RunServer/var/lib/rundeck4440

so it looks like all the settings are being set sucessfully. Next I tried the tcpdump to see if anything changed there:

GET /rundeck HTTP/1.1
Host: cat-sdts.metcarob-home.com:4443
Connection: keep-alive
X-Forwarded-For: 10.255.0.2
X-Forwarded-Proto: https
X-Forwarded-Host: cat-sdts.metcarob-home.com
X-Forwarded-Port: 8443
X-Real-IP: 10.255.0.2
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: io=ZGdexe3hVflPBuoyAAAA

09:15:39.625641 IP a6d1ec8aedab.4440 > 48a880a29b3e.webservices_default.41481: Flags [.], ack 582, win 228, options [nop,nop,TS val 2087394 ecr 2087394], length 0
E..4..@.@...
...
....X.  ..HJ9@.......M.....
........
09:15:39.630200 IP a6d1ec8aedab.4440 > 48a880a29b3e.webservices_default.41481: Flags [P.], seq 1:124, ack 582, win 228, options [nop,nop,TS val 2087398 ecr 2087394], length 123
E.....@.@..y
...
....X.  ..HJ9@.............
........HTTP/1.1 302 Found
Location: https://cat-sdts.metcarob-home.com/rundeck/
Content-Length: 0
Server: Jetty(9.0.7.v20131107)

09:15:39.630335 IP 48a880a29b3e.webservices_default.41481 > a6d1ec8aedab.4440: Flags [.], ack 124, win 221, options [nop,nop,TS val 2087399 ecr 2087398], length 0
E..4    .@.@...

So the problem is still the fact that the first forward is wrong.

[jjethwa]

Hi @rmetcalf9

I'm fresh out of ideas 😞 I've gone through http://rundeck.org/docs/administration/configuring-ssl.html#using-an-ssl-terminated-proxy and the open/closed issues for the Rundeck repo itself ( https://github.com/rundeck/rundeck ) and can't find anything that might help. It's probably something small we're missing out on. Do you mind opening an issue with the main Rundeck repo to see if they might be able to help? Make sure to link to this one so we can keep track of things. Really appreciate it and I hope to get you sorted soon 😄

[rmetcalf9]

Thanks I have read through http://rundeck.org/docs/administration/installation.html and I have verified all the suggested settings. I will log an issue over there.

[ivomarino]

good it running behind HAProxy and with nginx-proxy (SSL termination is done via Let's Encrypt on HAProxy level, rundeck runs also with SSL 4443:

env:
        # this is for nginx-proxy
        VIRTUAL_HOST: "rundeck.foo.org"
        VIRTUAL_PORT: 4443
        VIRTUAL_PROTO: "https"
        # this is for rundeck
        EXTERNAL_SERVER_URL: "https://rundeck.foo.org"
        RDECK_JVM_SETTINGS: "-Drundeck.jetty.connector.forwarded=true -Dserver.https.port=4443"

maybe this info helps.

[rmetcalf9]

Thanks for the info. It seems like you are running it from the base path rather than from a context. E.g. your External url is https://rundeck.foo.org but mine is https://serverwithotherstuddoneif.com/rundeck I think that might be the source of my problems

[laubstein]

@rmetcalf9 @jjethwa I was trying to run the container behind a reverse proxy with context (http://myserver/rundeck) when found this thread. Everything worked fine with the following configuration:

docker run -p 4440:4440 \
           -e "EXTERNAL_SERVER_URL=http://myserver/rundeck" \
           -e RDECK_JVM_SETTINGS="-Dserver.web.context=/rundeck -Drundeck.jetty.connector.forwarded=true" \
           --name rundeck \
           -t jordan/rundeck:latest

My nginx config: (no proxy header needed)

    location /rundeck/ {
         proxy_pass http://docker_host:4440/rundeck/;
    }

[jjethwa]

That's awesome, @laubstein Thanks so much! :smiley: