Rundeck not working with Google Chrome browser and Nginx as a reverse proxy with HTTPS
Michael Zoet
I have a strange problem ;-):
My setup works fine whith Firefox to connect to rundeck with HTTP and HTTPS.
When I use Google Chrome without SSL/TLS everything works fine, too.
When I use Google Chrome with HTTPS the WebGUI is stuck on the login
page. In the service log I see that my login was successful.
My setup:
- Nginx as reverse proxy automatically redirecting HTTP to HTTPS
- Nginx reverse proxies the HTTPS request to http://localhost:4440
- AD authentication (but this shouldn't be the problem)
Is there any (good) documentation that explains how to tweak the Nginx
setup to get Rundeck working with Google Chrome and Nginx as a reverse
proxy? I found a lot of docs but they were either outdated or did not
work for me.
Here is my Nginx Vhost configuration:
=========================================
server {
listen *:80;
server_name rundecktest02.example.org;
root /var/www/;
return 301 https://$host$request_uri;
access_log present combined;
error_log present;
}
server {
listen *:443 ssl;
server_name rundecktest02.example.org;
ssl_certificate /etc/certs/rundecktest02.example.org.crt;
ssl_certificate_key /etc/certs/rundecktest02.example.org.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
index index.html index.htm index.php;
access_log present combined;
error_log present;
root /var/www/;
location / {
proxy_pass http://127.0.0.1:4440;
proxy_read_timeout 90s;
proxy_connect_timeout 90s;
proxy_send_timeout 90s;
proxy_redirect http://localhost:4440
https://rundecktest02.example.org;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
}
}
=========================================
Reiner Acuña
server.useForwardHeaders=true
Michael Zoet
Hi Reiner,
thx for the info but it did not help so far. With server.useForwardHeaders=true I needed to change my Nginx config a little bit to get it working with Firefox. But still Chrome does not work with HTTPS.
When I look in the web console from Chrome I get an access to
https://rundecktest02.gvl.local/j_security_check
with the status canceled. I wonder what this means?
Michael Zoet
Hi again,
I found the answer to my problem at https://github.com/rundeck/rundeck/issues/4417
If someone comes to this by a search result, my working Nginx configuration looks like this now:
===========================================
server {
listen *:80;
server_name rundeck.example.org;
root /var/www/;
return 301 https://$host$request_uri;
access_log present combined;
error_log present;
}
server {
listen *:443 ssl;
server_name rundeck.example.org;
ssl_certificate /etc/certs/rundeck.example.org.crt;
ssl_certificate_key /etc/certs/rundeck.example.org.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
index index.html index.htm index.php;
access_log present combined;
error_log present;
root /var/www/;
location / {
proxy_pass http://127.0.0.1:4440;
proxy_read_timeout 90s;
proxy_connect_timeout 90s;
proxy_send_timeout 90s;
proxy_redirect http://localhost:4440 https://rundeck.example.org;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
===========================================
Most important is the line
proxy_set_header X-Forwarded-Proto $scheme;
And I also set
server.useForwardHeaders=true
in the rundeck-config.properties.
Michael
Reiner Acuña
Sent: Wednesday, June 26, 2019 5:18:26 AM
To: rundeck...@googlegroups.com
Subject: Re: [rundeck] Re: Rundeck not working with Google Chrome browser and Nginx as a reverse proxy with HTTPS
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To post to this group, send email to rundeck...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/20190626111826.Horde.c_Zf7YWkIN-SqRz0IaCaEw9%40server06.zoet.de.
For more options, visit https://groups.google.com/d/optout.