HTTP redirects not working with Munki

612 views
Skip to first unread message

treydock

unread,
Jul 22, 2011, 6:52:47 PM7/22/11
to munki-dev
I'm in the process of moving my Munki repo to a new server, and would
like to begin sending all current traffic to that new server, and
figured the simplest way would be to just redirect all traffic using
htaccess.

My current munki repo, for the sake of an example, exists at
http://macserver.com/repo/munki . Until my campus' DNS records
update, I'd like things to point to http://linuxserver.com/repo/munki.
Here's the .htaccess I placed at the root of my munki repo...

Redirect permanent / http://linuxserver.com/

In a browser I can go to http://macserver.com/repo/munki/manifests/testing
, and it correctly redirects me to the new server,
http://linuxserver.com/repo/munki/manifests/testing. However when
running Munki the redirect does not work. Here's the output from
managedsoftwareupdate --checkonly -vvvv

Manifest base URL is: http://macserver.com/repo/munki/manifests/
Manifest base URL is: http://macserver.com/repo/munki/manifests/
Getting manifest client_manifest...
Retreiving list of software for this machine...
ERROR: Could not retrieve manifest client_manifest from the server.
ERROR: HTTP result 301: Moved Permanently
ERROR: Could not retrieve managed install primary manifest.
No changes to managed software are available.

I additionally tried changing "permanent" to "301" in the .htaccess
but still get the same error from Munki.

Thanks
- Trey


Raúl

unread,
Jul 26, 2011, 11:04:05 AM7/26/11
to munki-dev
Trey,

I would recommend changing all your clients to use a service name for
the munki server. This can be achieve using DNS (BIND alias syntax
follows):

munki IN CNAME linuxserver.com

A service name allow you to change your munki web server by updating
DNS to use the new server without having to touch any clients. If you
use a redirect, then you will need to keep macserver.com and its
webserver running to do the redirects.

By using "munki" as the service name, you are leveraging the sane
default munki uses when it is first installed.

This doesn't address your redirect question, but I hope it was helpful
in solving your problem.

Raúl

On Jul 22, 6:52 pm, treydock <treyd...@gmail.com> wrote:
> I'm in the process of moving my Munki repo to a new server, and would
> like to begin sending all current traffic to that new server, and
> figured the simplest way would be to just redirect all traffic using
> htaccess.
>
> My current munki repo, for the sake of an example, exists athttp://macserver.com/repo/munki.  Until my campus' DNS records
> update, I'd like things to point tohttp://linuxserver.com/repo/munki.
> Here's the .htaccess I placed at the root of my munki repo...
>
> Redirect permanent /http://linuxserver.com/
>
> In a browser I can go tohttp://macserver.com/repo/munki/manifests/testing
> , and it correctly redirects me to the new server,http://linuxserver.com/repo/munki/manifests/testing.  However when

treydock

unread,
Jul 27, 2011, 8:05:20 AM7/27/11
to munki-dev
That's actually what I'm doing, and is an excellent suggestion. I
have a CNAME registered for my mac server that I will transfer to my
Linux server, but I was wanting to do it in stages and something
easily reversable as the DNS changes on my campus take 24 hours to go
into effect.

- Trey

Zajkowski, James

unread,
Jul 27, 2011, 5:53:13 PM7/27/11
to munk...@googlegroups.com
mod_rewrite!

Something like

RewriteEngine On
RewriteRule /(.^) http://other.ser.ver.com/$1 [R]

should work.

Raul Cuza

unread,
Jul 27, 2011, 8:43:02 AM7/27/11
to munk...@googlegroups.com
munki appears to use curl to gather some of its information [
http://tinyurl.com/munki-code-curl-search and
http://tinyurl.com/munki-dev-curl-search ] which would require the
-L/--location flag to follow redirects. I did not see this flag in my
quick skim of the code. Adding the ability to follow redirects would
allow munki to support more complicated apache configurations. Are
there additional complications munki would have to handle that it is
not already handling for non-redirect URL's? If there are, that might
make this feature more difficult to implement.

Greg Neagle

unread,
Jul 27, 2011, 9:38:45 PM7/27/11
to munk...@googlegroups.com
I actually don't know all the possible consequences of turning on redirect following.

Are there security implications?

Is anyone opposed to adding this?

Sent from my iPhone

Josh Malone

unread,
Jul 28, 2011, 10:13:08 PM7/28/11
to munk...@googlegroups.com
Seems to me that it would be safe. As always (imho), if you are concerned about security with munki, use SSL and get a valid, signed cert. They're only about $100/yr and munki handles them beautifully. It even works with my company's wildcard certs issued by godaddy.

-Josh

Rob Middleton

unread,
Jul 27, 2011, 9:50:52 PM7/27/11
to munk...@googlegroups.com
I'm not comfortable with it.

What happens when a user's computer is at an Internet cafe with captive
portal. They will normally 302 redirect all HTTP requests to its login
page. We don't really want to be downloading that when expecting a
plist/pkg.

Rob.

Reply all
Reply to author
Forward
0 new messages