jjethwa / rundeck

GNU General Public License v3.0
122 stars 137 forks source link

http to https redirect #59

Closed githubgrasshopper closed 7 years ago

githubgrasshopper commented 7 years ago

I opened an issue around Nov/Dec 2016 about this, and closed it eventually. I'm not able to find it anymore, so opening a new one. I'm also investigating from our side, but I'm hoping someone can also look at the issue here. Thanks!!

I have a Rundeck container running in Kubernetes, with SSL enabled. What's happening is when I enter the server url, https://rundeck-iac....., https will switch to http, and results to a "The site can't be reached" error. The user will have to append https again (2x), before everything works and be able to use Rundeck.

This is the current set up in our Kubernetes cluster: outside --> F5: uses HTTPS F5 --> nginx: uses HTTP with X-Forwarded-Proto: HTTPS nginx --> app service: uses HTTP with X-Forwarded-Proto: HTTP (this is the part where the Rundeck https to http redirect happens)

This week, X-Forwarded-Proto: https and X-Forwarded-Port: 443 have been set on the nginx --> app service. Upon validation, I am now able to login and get into the menu page without having to append "https" twice. But after this change, Rundeck logs off and goes to the login page again, intermittently (about 75% most of the time). I can't figure out where the problem is. It appears that the scenario before the change is better than what's happening after the change.

/etc/rundeck/profile has this: export RDECK_JVM="${RDECK_JVM} -Djava.security.auth.login.config=/etc/rundeck/jaas-ldap.conf \ -Dloginmodule.name=ldap \ -Drdeck.config=/etc/rundeck \ -Drdeck.base=/var/lib/rundeck \ -Drundeck.server.configDir=/etc/rundeck \ -Dserver.datastore.path=/var/lib/rundeck/data \ -Drundeck.server.serverDir=/var/lib/rundeck \ -Drdeck.projects=/var/rundeck/projects \ -Drdeck.runlogs=/var/lib/rundeck/logs \ -Drundeck.config.location=/etc/rundeck/rundeck-config.properties \ -Drundeck.jetty.connector.forwarded=true \ -Djava.io.tmpdir=$RUNDECK_TEMPDIR" #

Set min/max heap size

# RDECK_JVM="$RDECK_JVM -Xmx1024m -Xms256m -XX:MaxMetaspaceSize=256m -server" #

SSL Configuration - Uncomment the following to enable. Check SSL.properties for details.

#

export RDECK_JVM="$RDECK_JVM -Drundeck.ssl.config=/etc/rundeck/ssl/ssl.properties -Dserver.https.port=${RDECK_HTTPS_PORT}"

export RDECK_SSL_OPTS="-Djavax.net.ssl.trustStore=/etc/rundeck/ssl/truststore -Djavax.net.ssl.trustStoreType=jks -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol"

jjethwa commented 7 years ago

Hi @elisalaborte

I don't think the issue was opened under this repo as there is no way to delete issues as far as I know. Hoping I can get you sorted though 😄

What version of Rundeck (or this container) are you using? If it's 2.6 or higher, make sure to update your Rundeck profile as there were quite a few changes.

Can you confirm the value of grails.serverURL in your rundeck-config.properties or .groovy? This should be the FQDN you use to access it i.e. https://rundeck-iac/ from your example

I have a much simpler setup HAProxy -> Rundeck. HAProxy terminates SSL and communicates with the Rundeck server over HTTP. I am using an intranet certificate, so I need to provide the intermediate cert.

HAProxy sets the following headers:

X-Forwarded-For
X-Forwarded-Proto

I have the following SSL related settings in my profile:

-Drundeck.jetty.connector.forwarded=true
-Djavax.net.ssl.trustStore=/PATH/TO/MY/CACERTS
-Djavax.net.ssl.trustStoreType=jks
-Djavax.net.ssl.trustStorePassword=MY_CACERTS_PASSWORD
-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
githubgrasshopper commented 7 years ago

@jjethwa Thanks! Yeah, I probably posted that issue/question in another site. I have 2.6.9-1. I'll look at the profile changes. And perhaps upgrade to the latest version in the future too (once I've fixed this https-http redirect). My grails.serverURL is https://rundeck-iac/.....

I'll look into doing what you did with your setup, and update this issue here.

githubgrasshopper commented 7 years ago

@jjethwa I apologize. There's no issue with Rundeck. My deployment in one Kubernetes cluster was using the same URL that I am also trying to use in the Rundeck instance that I'm trying to stand up in another K8s cluster (which was failing/intermittently logging off).

githubgrasshopper commented 7 years ago

Closing this now. Thanks!!

jjethwa commented 7 years ago

Glad to hear it's working, @elisalaborte 😄